/var/run/utmp
/var/log/wtmp
/var/log/btmp
Solaris:
(deprecated) /var/adm/utmp
/var/adm/utmpx
(deprecated) /var/adm/wtmp
/var/adm/wtmpx
FreeBSD 9.0:
/var/run/utx.active (utmp equivalent)
/var/log/utx.log (wtmp equivalent)
Overview
The utmp, wtmp and btmp files track successful and failed logins on the
system. They are are notably maintained by the login(1), init(1),
sshd(8), and some versions of the getty(8) programs. However, none of these
programs creates the wtmp and btmp files, so if the files are deleted,
record-keeping is effectively turned off.
The following *tmp login record files are commonly defined on Linux
distributions:
-
utmp/utmpx(under/var/run/): currently logged users. As/var/run/(often a symlink to/run/) is atmpfsfilesystem in RAM, theutmp/utmpxfiles do not persist across system shutdowns.The
utmpxandutmpfiles are read by thewho(1)utility to list the user(s) currently logged-in on the system. -
wtmp/wtmpx(under/var/log/): all current and past logins, with additional details on system shutdown and reboots, etc. All entries are thus not necessarily related to user authentication. -
btmp/btmpx(under/var/log/): all bad / failed login attempts.
The *tmpx files are extended database files that supersede the *tmp files
on some distributions.
Information of interest
utmp record format
The utmp entry format is specified in the utmp.h (/usr/include/) or
bits/utmp.h header. This format is used by the utmp, wtmp, and btmp
logs.
The fields available depend on the utmp implementation for the given system
and may vary between distributions and utmp.h versions / implementations.
| Field | Description |
|---|---|
ut_type |
The type of login associated with the record. The following type values are defined: - EMPTY (0): No valid user accounting information. - RUN_LVL (1): The system’s runlevel. - BOOT_TIME (2): Time of system boot. - NEW_TIME (3): Time after system clock changed. - OLD_TIME (4): Time when system clock changed. - INIT_PROCESS (5): Process spawned by the init process. - LOGIN_PROCESS (6): Session leader of a logged in user. - USER_PROCESS (7): Normal process. - DEAD_PROCESS (8): Terminated process. The login(1) program creates records of USER_PROCESS type after a user has successful authenticated, populating the ut_host and ut_addr fields. Terminal emulators may also directly create USER_PROCESS records. |
ut_pid |
The process ID of the process associated with the record. |
ut_line & ut_id |
The name of the (native tty or pseudo pts) terminal device associated with the record (such as tty1 or pts/3). ut_line is set to ~ and ut_id to ~~ for records related to system shutdown or reboot. |
ut_name / ut_user |
The username or technical information associated with the record. The username is set to: - shutdown for system shutdown - reboot for system reboot. - LOGIN for LOGIN_PROCESS records. - runlevel for RUN_LVL record related to init(1). - The username of the user associated with the login for USER_PROCESS records. |
ut_host |
The source host’s hostname or IP address set for USER_PROCESS records linked to a remote login (set to :0 for local logins) or the kernel version for RUN_LVL records. |
ut_addr |
The source host’s IP address set for USER_PROCESS records linked to a remote login (or set to 0.0.0.0 otherwise). |
ut_time / ut_tv |
The timestamp of the record, with up to microseconds precision depending on the system architecture (32-bit or 64-bit) and utmp.h versions / implementation. |
Tool(s)
*tmp login records are not stored in clear-text and must be parsed with
adequate utilities:
-
The
utmpdumputility can be used to parse*tmplogs into an ascii table.utmputmpdump [-o <OUTPUT_FILE>] <INPUT_FILE> # Output format: # [ut_type] [ut_pid] [ut_id] [ut_user] [ut_line] [ut_host] [ut_addr] [ut_time] -
The
target-querytool, part of thedissectPython framework, can be used to parsewtmpandbtmplogs inCSVorJSONoutputs.# To parse a single wtmp or btmp file, the files must be under <TARGET>/var/log/ target-query -f <wtmp | btmp> <TARGET> | rdump <--csv | --json | --jsonlines>
References
View on GitHub