Whenever you do a login, logout, or attempt to log in, everything gets recorded on your system, and there is a specific command that you can use to find out who has logged into your Linux system.
In this article, you will see a binary file that is responsible for maintaining records and how to read the binary file using the “utmpdump
“ utility.
Table of Contents
What is /var/run/utmp?
A utmp is responsible for keeping track of the users logged in to your system, and when you run a who command in your terminal, it retrieves login information from /var/run/utmp, then it displays on your screen.
And it maintains details about your current login, system boot time, which terminal or pseudo-terminal is used for login, logout, etc.
$ who
trendoceans tty7 2022-02-24 21:56 (:0)
trendoceans pts/0 2022-02-24 21:56 (:0)
trendoceans pts/3 2022-02-25 20:50 (:0)
What is /var/log/wtmp?
A binary file /var/log/wtmp is responsible for making a record of all logged-in and logged-out users, and even you can say it maintains all the action of /var/run/utmp in /var/log/wtmp.
But for how long will the log data be stored in /var/log/wtmp? It’s all upon the configuration in /etc/logrotate.conf by default all logs get refreshed after four weeks of time.
The last
command leverages the /var/log/wtmp file to display all the previous logged in and logged out data.
$ last
Output
ankit tty3 Fri Feb 25 21:07 gone - no logout
trendoce pts/4 :0 Fri Feb 25 20:50 - 20:50 (00:00)
trendoce pts/3 :0 Fri Feb 25 20:50 still logged in
trendoce pts/2 :0 Fri Feb 25 20:35 - 20:50 (00:14)
trendoce pts/1 :0 Fri Feb 25 09:40 - 11:07 (01:27)
trendoce pts/1 :0 Fri Feb 25 09:28 - 09:31 (00:02)
trendoce pts/0 :0 Thu Feb 24 21:56 gone - no logout
trendoce tty7 :0 Thu Feb 24 21:56 gone - no logout
reboot system boot 5.10.0-11-amd64 Thu Feb 24 23:49 still running
What is /var/log/btmp?
A /var/log/btmp is similar to the above file, but it holds a bad or failed attempt to login. And you cannot access the lastb command without sudo privileges.
$ sudo lastb
Output
trendoce ssh:notty 192.168.100.24 Sat Feb 26 12:15 - 12:15 (00:00)
trendoce ssh:notty 192.168.100.7 Thu Feb 24 20:53 - 20:53 (00:00)
debian ssh:notty 192.168.100.24 Thu Feb 24 20:44 - 20:44 (00:00)
trendoce tty2 Fri Feb 4 17:09 - 17:09 (00:00)
btmp begins Fri Feb 4 17:09:56 2022
How to read utmp, wtmp, and btmp in raw format
All these files in /var/run/utmp, /var/log/wtmp, and /var/log/btmp are binary files. You cannot read this file using any text editor or pager like more, less, etc.
And when you run a file command to check the file type, it will show you it is data.
$ sudo file /var/run/utmp /var/log/wtmp /var/log/btmp
Output:
/var/run/utmp: data
/var/log/wtmp: data
/var/log/btmp: data
To learn what this file stores, you can use the command “utmpdump
“, which will read this file in raw format. On most Linux systems, you will find the “utmpdump
“ utility to use.’
You can run any of the following commands to read the file in its raw format.
$ sudo utmpdump /var/run/utmp
$ sudo utmpdump /var/log/wtmp
$ sudo utmpdump /var/log/btmp
And to better understand the raw format, I suggest you run the respective command along with the above command, such as who
, last
, and lastb
.
$ sudo utmpdump /var/run/utmp
$ who -all
When you run the command as mentioned above, you will find the output is similar to the who command. And you may notice the time is different in both results, but it’s not because my system does not follow the UTC.
You should read: [Solved] Fix different time issues in Dual Boot?
Most user preferred to read : Date command usage in Linux
You will find the same time if you convert the UTC timezone to IST using the date command.
$ date -d 'TZ="UTC" 2022/02/24 18:19:29'
Output:
Thursday 24 February 2022 11:49:29 PM IST
And the rest of the output is identical.
Wrap up
That’s all for utmp, wtmp, btmp, and how to read it? I believe you are now aware of which binary file is responsible for specific logging purposes.
I recommend you read “How to check who has logged into my Linux system,” where we have explained in-depth usage of who
, last
, w
, and last
command.
Enjoy it!

A man with a tech effusive who has explored some of the amazing technology stuff and is exploring more. While moving towards, I had a chance to work on Android development, Linux, AWS, and DevOps with several open-source tools.