This will most likely be the action of logrotate If you look in /etc/logrotate.conf you'll see something like
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}
Which says rotate the /var/log/wtmp file monthly and keep one previous copy. If you want to keep more then increase the rotate count
rotate count
Log files are rotated count times before being removed or mailed to the address specified in a mail directive. If count is 0, old versions are removed rather than rotated.
If you look in /var/log you'll probably find a selection of files like
/var/log/wtmp
/var/log/wtmp.1
If you want to access data from an earlier file you can use
last -f /var/log/wtmp.1
I think you or someone with root privileges has issued
cat /dev/null > /var/log/wtmp
which will delete the previous logins. check the modification time of wtmp
stat %s /var/log/wtmp
You are probably experiencing this on a server that is only infrequently accessed, and with a lastlog (/var/log/wtmp) which should be rotated less frequently.
Edit /etc/logrotate.conf Find the /var/log/wtmp section Increase the rotation period, from "monthly" to "yearly", for example.
Now when you use the last command, you will see a longer list of logins, over a longer time span, and you will feel better !
This issue involves some odd psychology involving "paradigms", belief systems and expectations based on conditioning through repetition. I have a proxy server which is not accessed much, and every time I execute "last", the very short list always causes me to feel suspicious. The feeling that something is wrong is merely the psychology of the paradigm that "you are accustomed (thousands of times) to seeing a much longer list of logins on your other servers", therefore you expect a long list ! A paradigm will cause a person to make a mistake over and over, all the while thinking that they did it correctly.
