Hi all.
I have a strange case on one of my AIX boxes. /var/adm/wtmp on server01 is ~ 400MB large but it only has ~1200 lines. For example on server02 there are ~85000 lines and the file is ~158MB large. I check lines through 'last | wc -l'. But when I check line directly with 'wc -l /var/adm/wtmp' for server01 I have 22483 lines and for server02 10575 lines. Quite strange for me 
What should be checked? Where is the strange difference comming from?
wtmp is a binary file.
You can read it with:
/usr/sbin/acct/fwtmp < /var/adm/wtmp
then
/usr/sbin/acct/fwtmp < wtmp | wc -l
fwtmp Command
Purpose
Manipulates connect-time accounting records by reading binary records in wtmp format from standard input, converting them to formatted ASCII records. The ASCII version
is useful when it is necessary to edit bad records.
This might happen if sbdy tried to shrink wtmp in a not supported way. I.e. if you do not blank it (e.g. cating /dev/null onto it) or write data back without using fwtmp you might damage wtmp in a way that only parts of it are usable. The second possibility is that /var got full 100% at the very moment the system logged information in wtmp. Either way you end up with a wtmp file where size and information do not seem to fit together.
How to shrink wtmp correctly has been explained a thousand times before. This procedure might also be used to repair a broken wtmp. You might want to search this group.