The Geek Diary

CONCEPTS | BASICS | HOWTO

What is the purpose of utmp, wtmp and btmp files in Linux

By

In a Linux system, everything is logged in a log file under the directory called /var/log. This directory contains logs related to different services and applications. In this directory we have some files such as utmp, wtmp and btmp. Unlike the system log files and the authentication log files, all of these files are binary files. So, we can’t use our normal text tools, such as less or grep, to read them or extract information from them. Instead, we’ll use some special tools that can read these binary files.

  • utmp will give you complete picture of users logins at which terminals, logouts, system events and current status of the system, system boot time (used by uptime) etc.
  • wtmp gives historical data of utmp.
  • btmp records only failed login attempts.

w and who Commands

The w and who commands pull information about who’s logged in and what they’re doing from the /var/run/utmp file. If you want to see the list of users who are currently logged in, use who:

$ who
geek    console  Jul  1 23:27
geek    ttys000  Jul  7 13:13
geek    ttys001  Jul 18 18:34

last Command

The last command provides how they logged in, when they logged in and when they logged out etc info on the screen.

# last

We can also use the last command to read the content of the files wtmp, utmp and btmp as well. For example:

# last -f /var/log/wtmp    ### To open wtmp file and view its content use blow command.
# last -f /var/run/utmp    ### To see still logged in users view utmp file use last command.
# last -f /var/log/btmp    ### To view btmp file use same command.

lastb Command

You can review the current history of logged sessions contained within /var/run/btmp by typing:

# lastb

utmpdump Command

Now, given that binary files cannot be viewed using basic reading commands such as cat, less, and more, rather than simply relying on basic commands such as last, who, lastb, and others, a different approach is to use the utmpdump command like this:

# utmpdump /path/to/binary

So if you want to read the contents of the binary files wtmp, utmp or btmp, use the command as:

# utmpdump /var/run/utmp
# utmpdump /var/log/wtmp
# utmpdump /var/log/btmp

You May Also Like