Morning! welcome to and thanks for checking it out. Today, I’ll write this post about Arista and why /var/log/lastlog is HUGE, but firstly let me introduce Arista

About Arista

Arista Networks was founded to pioneer and deliver software-driven cloud networking solutions for large data center storage and computing environments. Arista’s award-winning platforms, ranging in Ethernet speeds from 10 to 100 gigabits per second, redefine scalability, agility and resilience. Arista has shipped more than 15 million cloud networking ports worldwide with CloudVision and EOS, an advanced network operating system. Committed to open standards, Arista is a founding member of the 25/50GbE consortium.

Arista Networks products are available worldwide directly and through partners and is a leader in building scalable, high-performance and ultra-low latency cloud networks with low power consumption and a small footprint for modern data center and cloud computing environments. It has been awared by Gartner as a Leader in its 2017 Magic Quadrant for Data Center Networking.

Why /var/log/lastlog is HUGE

After login in the Arista switch, the system shows a warning.

so it seems related to /var/log

as we can see /var/log is 94% used, which is not good. But the lastlog is “using” 30 GB!!!!!

This is because space is “allocated” ahead of time for all possible user IDs, which is about 232 users multiplied by 256 bytes for each login record. This is, thankfully, an illusion. The lastlog file is created as a sparse file, so only the chunks of the file that are used actually take up physical storage space. So all the space really isn’t allocated.

To see how big the file really is use the “du” command. In this case, the log is 72K


It’s related to the a bug which is hitting the BUG-177893  introduced in 4.14.5 and fixed in 4.20.5 OS.
Release Note: “On every Event Monitor sync or show command, eventMon database at /var/log/eventMon.db will grow without bounds until user explicitly clears the db using event-monitor clear command.”

  1. To retrieve the space you will need to clear the current entries from the database tables using the following command.
  2. Once this is done, we should be able to see the file size decrease for the eventMon.db file in /var/log directory.
  3. We can limit the number of records to store by adjusting the default backlog for event-monitor.

    BTW: The clear command is not impacting. It is just clearing the logs and it can be run at anytime

Thanks for sharing!

Sharing is caring!


Leave a comment

Your email address will not be published.