What is utmp,wtmp,btmp, and how to read?

  • Post last modified:February 26, 2022
  • Reading time:7 mins read
  • Post author:
  • Post comments:0 Comments

Whenever you do a loginlogout, or attempt to log in, everything gets recorded on your system, and there is a specific command that you can use to find out who has logged into your Linux system.

In this article, you will see a binary file that is responsible for maintaining records and how to read the binary file using the utmpdump utility.

What is /var/run/utmp?

utmp is responsible for keeping track of the users logged in to your system, and when you run a who command in your terminal, it retrieves login information from /var/run/utmp, then it displays on your screen.

And it maintains details about your current login, system boot time, which terminal or pseudo-terminal is used for login, logout, etc.

$ who

trendoceans tty7         2022-02-24 21:56 (:0)
trendoceans pts/0        2022-02-24 21:56 (:0)
trendoceans pts/3        2022-02-25 20:50 (:0)

What is /var/log/wtmp?

A binary file /var/log/wtmp is responsible for making a record of all logged-in and logged-out users, and even you can say it maintains all the action of /var/run/utmp in /var/log/wtmp.

But for how long will the log data be stored in /var/log/wtmp? It’s all upon the configuration in /etc/logrotate.conf by default all logs get refreshed after four weeks of time.

The last command leverages the /var/log/wtmp file to display all the previous logged in and logged out data.

$ last

Output
ankit    tty3                          Fri Feb 25 21:07    gone - no logout
trendoce pts/4        :0               Fri Feb 25 20:50 - 20:50  (00:00)
trendoce pts/3        :0               Fri Feb 25 20:50   still logged in
trendoce pts/2        :0               Fri Feb 25 20:35 - 20:50  (00:14)
trendoce pts/1        :0               Fri Feb 25 09:40 - 11:07  (01:27)
trendoce pts/1        :0               Fri Feb 25 09:28 - 09:31  (00:02)
trendoce pts/0        :0               Thu Feb 24 21:56    gone - no logout
trendoce tty7         :0               Thu Feb 24 21:56    gone - no logout
reboot   system boot  5.10.0-11-amd64  Thu Feb 24 23:49   still running

What is /var/log/btmp?

/var/log/btmp is similar to the above file, but it holds a bad or failed attempt to login. And you cannot access the lastb command without sudo privileges.

$ sudo lastb

Output
trendoce ssh:notty    192.168.100.24   Sat Feb 26 12:15 - 12:15  (00:00)
trendoce ssh:notty    192.168.100.7    Thu Feb 24 20:53 - 20:53  (00:00)
debian   ssh:notty    192.168.100.24   Thu Feb 24 20:44 - 20:44  (00:00)
trendoce tty2                          Fri Feb  4 17:09 - 17:09  (00:00)

btmp begins Fri Feb  4 17:09:56 2022

How to read utmp, wtmp, and btmp in raw format

All these files in /var/run/utmp, /var/log/wtmp, and /var/log/btmp are binary files. You cannot read this file using any text editor or pager like more, less, etc. 

And when you run a file command to check the file type, it will show you it is data

$ sudo file /var/run/utmp /var/log/wtmp /var/log/btmp

Output:
/var/run/utmp: data
/var/log/wtmp: data
/var/log/btmp: data

To learn what this file stores, you can use the command utmpdump“, which will read this file in raw format. On most Linux systems, you will find the utmpdump utility to use.’

You can run any of the following commands to read the file in its raw format.

$ sudo utmpdump /var/run/utmp 
$ sudo utmpdump /var/log/wtmp
$ sudo utmpdump /var/log/btmp

And to better understand the raw format, I suggest you run the respective command along with the above command, such as wholast, and lastb.

$ sudo utmpdump /var/run/utmp 
$ who -all

When you run the command as mentioned above, you will find the output is similar to the who command. And you may notice the time is different in both results, but it’s not because my system does not follow the UTC.

You should read: [Solved] Fix different time issues in Dual Boot?

Comparison between utmp and who
Comparison between utmp and who

Most user preferred to read : Date command usage in Linux

You will find the same time if you convert the UTC timezone to IST using the date command.

$ date -d 'TZ="UTC" 2022/02/24 18:19:29'

Output:
Thursday 24 February 2022 11:49:29 PM IST

And the rest of the output is identical.

Wrap up

That’s all for utmp, wtmp, btmp, and how to read it? I believe you are now aware of which binary file is responsible for specific logging purposes.

I recommend you read “How to check who has logged into my Linux system,” where we have explained in-depth usage of wholastw, and last command.

Enjoy it!

Leave a Reply