In a Linux system, everything is logged in a log file under the directory called /var/log. This directory contains logs related to different services and applications. In this directory we have some files such as utmp, wtmp and btmp. Unlike the system log files and the authentication log files, all of these files are binary files. So, we can’t use our normal text tools, such as less or grep, to read them or extract information from them. Instead, we’ll use some special tools that can read these binary files.
- utmp will give you complete picture of users logins at which terminals, logouts, system events and current status of the system, system boot time (used by uptime) etc.
- wtmp gives historical data of utmp.
- btmp records only failed login attempts.
w and who Commands
The w and who commands pull information about who’s logged in and what they’re doing from the /var/run/utmp file. If you want to see the list of users who are currently logged in, use who:
$ who geek console Jul 1 23:27 geek ttys000 Jul 7 13:13 geek ttys001 Jul 18 18:34
last Command
The last command provides how they logged in, when they logged in and when they logged out etc info on the screen.
# last
We can also use the last command to read the content of the files wtmp, utmp and btmp as well. For example:
# last -f /var/log/wtmp ### To open wtmp file and view its content use blow command. # last -f /var/run/utmp ### To see still logged in users view utmp file use last command. # last -f /var/log/btmp ### To view btmp file use same command.
lastb Command
You can review the current history of logged sessions contained within /var/run/btmp by typing:
# lastb
utmpdump Command
Now, given that binary files cannot be viewed using basic reading commands such as cat, less, and more, rather than simply relying on basic commands such as last, who, lastb, and others, a different approach is to use the utmpdump command like this:
# utmpdump /path/to/binary
So if you want to read the contents of the binary files wtmp, utmp or btmp, use the command as:
# utmpdump /var/run/utmp # utmpdump /var/log/wtmp # utmpdump /var/log/btmp