http://www.rs6000.ibm.com/resource/
Use the following command to read the contents of the file.
who /etc/security/failedloginThe condition of tty's respawning too rapidly will create failed login entries. To clear the file after reading or saving the output, execute the following command:
cp /dev/null /etc/security/failedlogin
If a device name is mis-typed, as in "rmto" instead of "rmt0", a file will be created in /dev called "rmto". The command will normally proceed until the entire root file system is filled before failing (/dev is part of the / file system). Look for entries that are not devices (that do not have a major or minor number).
Execute the following:
cd /dev ls -l |pg
Whereas a file size on an ordinary file would normally be seen, a device file will have two numbers separated by a comma.
Example
crw-rw-rw- 1 root system 12, 0 Oct 25 10:19 rmt0
If the output looks like the following, the file should be removed.
Example
crw-rw-rw- 1 root system 9375473 Oct 25 10:19 rmto
NOTE: The /dev directory has some valid file names. Look for a file that has a large size (larger than 500 bytes).
NOTE: If system auditing is running, the /audit directory (default) may rapidly fill up and require attention.
Large files can be located with the find command. For example, to find all files in the root (/) directory larger than 1 MB, type the following command:
find / -xdev -size +2048 -ls |sort -r +6
This will find all files greater than 1 MB and sort them in reverse order with the largest files first.
NOTE: When checking the root directory, entries from the /dev directory that have major and minor numbers instead of file sizes will be interspersed with "real" files and can be ignored.
Other useful find command flags may be helpful, such as the -newer flag. For versions of AIX prior to 4.3, use InfoExplorer to learn more about such flags.
NOTE: Before removing any files, the user should check to see if the file is currently in use by an active user process. Execute the following command:
fuser <filename>
<filename> is the file name that is being checked by the active user process. If a file is "open" at the time of removal it is only removed from the directory listing. The blocks allocated to that file are not freed until the process holding the file open is killed.
/var/adm/wtmp is a file that is used to log all "logins", "rlogins" and "tn" sessions. If it is not monitored it will grow indefinitely unless system accounting is running. System accounting will clear it out nightly. /var/adm/wtmp can either be cleared out or edited to remove old and unwanted information.
To clear /var/adm/wtmp, execute the following:
cp /dev/null /var/adm/wtmp
To edit the file and remove unwanted entries, execute the following:
/usr/sbin/acct/fwtmp < /var/adm/wtmp >/tmp/outEdit the /tmp/out file to remove unwanted entries then put the edited version back in wtmp by executing the following command:
/usr/sbin/acct/fwtmp -ic < /tmp/out > /var/adm/wtmp
This directory contains the error log, errlog. It is never cleared unless it is manually cleared. DO NOT cp /dev/null to it or it will disable the error logging functions of the system. A zero (0) length errlog file must be replaced from a backup tape.
The log can be cleared of all entries removed up to a certain number of days using the errclear command.
errclear 0
errclear 7
NOTE: The trcfile file in this directory may be large due to a trace being run. The file can be removed by executing the following:
rm /var/adm/ras/trcfile
While old vi sessions can be used to recover files that were abnormally terminated, these files can be deleted. However, the user may want to keep some of the newer ones in case users want to recover files. To recover a file, execute the following:
-r filename or -rThis will list all available files that are recoverable.
This file tracks the number of attempted uses of su and whether they are successful or not. This is a flat file and can be viewed and modified with a favorite editor. If it is removed it will be recreated by the next attempted su.
This is used by the snmpd daemon as a log. If the file is removed it will be recreated by the snmpd daemon.
NOTE: The size of this file can be limited so that it does not grow indefinitely by editing the /etc/snmpd.conf file under the section for size. This is in bytes.
NOTE: The find command can also be used to discover large files in /var. Execute the following:
find /var -xdev -size +2048 -ls| sort -r +6
NOTE: AIX provides a general system cleanup script called skulker located in the /usr/sbin directory. Before attempting to run the skulker command, look at the skulker entry in InfoExplorer (for versions of AIX prior to 4.3). Read the script for details to determine what files it will delete and what time frame it will allow files to exist before deletion.
skulker may be run as a cron job using the following crontab entry:
0 3 * * * /usr/sbin/skulker
Consider limiting the errlog by the running these entries in cron:
0 11 * * * /usr/bin/errclear -d S,O 30 0 12 * * * /usr/bin/errclear -d H 90
Use the find command with the -size flag to attempt to locate large files or, if the file system just filled up, use the -newer flag to find recently modified files. To produce a file for the -newer flag to find against, use the following touch command:
touch mmddhhmm filename
From left to right, the following correspondences apply:
Execute the following command:
find /filesystem_name -xdev -newer touched_file -ls
Another useful flag for the find command will allow files to be located that have been changed in the last 24 hours.
For example:
find /filesystem_name -xdev -mtime 0 -ls