• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

What is the purpose of utmp, wtmp and btmp files in Linux

By admin

In a Linux system, everything is logged in a log file under the directory called /var/log. This directory contains logs related to different services and applications. In this directory we have some files such as utmp, wtmp and btmp. Unlike the system log files and the authentication log files, all of these files are binary files. So, we can’t use our normal text tools, such as less or grep, to read them or extract information from them. Instead, we’ll use some special tools that can read these binary files.

  • utmp will give you complete picture of users logins at which terminals, logouts, system events and current status of the system, system boot time (used by uptime) etc.
  • wtmp gives historical data of utmp.
  • btmp records only failed login attempts.

w and who Commands

The w and who commands pull information about who’s logged in and what they’re doing from the /var/run/utmp file. If you want to see the list of users who are currently logged in, use who:

$ who
geek    console  Jul  1 23:27
geek    ttys000  Jul  7 13:13
geek    ttys001  Jul 18 18:34

last Command

The last command provides how they logged in, when they logged in and when they logged out etc info on the screen.

# last

We can also use the last command to read the content of the files wtmp, utmp and btmp as well. For example:

# last -f /var/log/wtmp    ### To open wtmp file and view its content use blow command.
# last -f /var/run/utmp    ### To see still logged in users view utmp file use last command.
# last -f /var/log/btmp    ### To view btmp file use same command.

lastb Command

You can review the current history of logged sessions contained within /var/run/btmp by typing:

# lastb

utmpdump Command

Now, given that binary files cannot be viewed using basic reading commands such as cat, less, and more, rather than simply relying on basic commands such as last, who, lastb, and others, a different approach is to use the utmpdump command like this:

# utmpdump /path/to/binary

So if you want to read the contents of the binary files wtmp, utmp or btmp, use the command as:

# utmpdump /var/run/utmp
# utmpdump /var/log/wtmp
# utmpdump /var/log/btmp

Filed Under: Linux

Some more articles you might also be interested in …

  1. CentOS / RHEL 7 : Tips on Troubleshooting NTP / chrony Issues
  2. CentOS / RHEL : Installing and Configuring ASMLib
  3. Connection using SSH to a Host Not in DNS/hosts Stalls for Some Time at Connection Initiation
  4. Basic “ls” Command examples in Linux
  5. Basic vi commands (cheat sheet)
  6. CentOS/RHEL : Unmounting a Windows Share Fails – “device is busy”
  7. What are Symbolic Links (Soft Links) and how to create them under Linux
  8. Shopt: Not Found [No Such File Or Directory]
  9. How to Integrate CentOS/RHEL system into an AD Domain with LDAP/Kerberos/SSSD
  10. How to allow or deny telnet login to specific users only in CentOS/RHEL

You May Also Like

Primary Sidebar

Recent Posts

  • CentOS/RHEL 8: “ACPI MEMORY OR I/O RESET_REG” Server Hung after reboot
  • How to Create a Physical Standby Database by Using SQL and RMAN Commands
  • Basics of client connectivity in Oracle Data Guard configuration
  • ORA-354 ORA-353 and ORA-312: Possible corruption in Online Redo Log File Members in a Redo Log Group
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary