If you are aware of the Linux file structure, then you might already be aware of the β/var/logβ directory that is responsible for keeping the system related logs.
You can easily list the content of this directory using the ls command.
$ ls /var/log/Output:
As you can see from the above picture, this directory contains various files and directories related to different services and applications.
However, within the same directory, we have utmp, wtmp, and btmp files (the primary objective of this article), on which we will be more focused.
What are utmp, wtmp, and btmp Files in Linux?
To understand the role of these files, you need to understand how the login (authentication) mechanism works in the Linux system.
So, whenever you log in to any Linux system, the information you provide is validated against the user database, and once youβve successfully logged-in, the login program writes entries in two (log) files:
- The β
/var/run/utmpβ file, which contains the record of users logged into the system. - The β
/var/log/wtmpβ file, which contains the historical record of the βutmpβ file.
If the user is unable to login due to an incorrect login name or password, the login program writes the entry in:
- The β
/var/log/btmpβ file, which contains the record of failed login attempts.
I hope this short description gives you a complete picture of the purpose of this log file, and for your note, some of the popular commands do utilize this file to show their output.
The following is a list of all the commands that make use of these log files.
| Log Files | Commands | Usage |
|---|---|---|
utmp | w, who | To show you the logged-in user on the target machine. |
wtmp | last | To show you the historical data of all the users logged into the target machine since the last reboot. |
btmp | lastb | To show you the list of unsuccessful login attempts held on the target machine. |
Note that these files are binary (or database) files, so you canβt read them using the cat command or pager programs like more and less.
However, you can use the above commands that utilize these files in their output, which is equivalent to reading these files.
Or you can take advantage of a specialized program like βutmpdumpβ that is used to dump and load utmp, wtmp, and btmp files.
How to Read utmp, wtmp, and btmp Files in Linux
As Iβve told you earlier, commands like w, who, last, and lastb utilize these files in their output, so letβs see how you can use them to read the content of these files.
Reading the utmp file using the w and who commands
The w and who commands utilize the β/var/run/utmpβ files to show you the list of all the logged-in users on the target machine.
$ w
$ whoOutput:
Note that the w command is not solely using the utmp file; it is also pulling the data from the β/procβ directory to show you the running process in the βWHATβ field.
Reading the wtmp file using the last command
The last command uses the β/var/log/wtmpβ file to tell you about all the users who have logged in to the target machine in the past.
$ lastOutput:
Reading the btmp file using the lastb command
The lastb command utilizes the β/var/log/btmpβ file to show you the record of failed login attempts on the target machine, but note that this command requires root or sudo privilege.
$ sudo lastbOutput:
Note that all of the above commands use the βutmpβ, βwtmpβ, and βbtmpβ log files but also utilize some other files, and they also show you certain information from the files unless you specify an option.
However, you can use the utmpdump command to read this in the raw format without any filter.
How to Read utmp, wtmp, and btmp Files Using the utmpdump Command
The utmpdump job is to only dump and load the utmp, wtmp, and btmp files in raw format, which sounds quite easy; letβs try it.
1. Reading the utmp file using the utmpdump command
Execute the following command to read the β/var/run/utmpβ file using the utmpdump command.
$ utmpdump /var/run/utmpOutput:
2. Reading the wtmp file using the utmpdump command
Execute the following command to read the β/var/log/wtmpβ file using the utmpdump command.
$ utmpdump /var/log/wtmpOutput:
3. Reading the btmp file using the utmpdump command
Execute the following command with root or sudo privileges to read the β/var/log/btmpβ file using the utmpdump command.
$ sudo utmpdump /var/log/btmpOutput:
Conclusion
I hope this article will fill you with curiosity, like so many things hidden in Linux. Also, donβt forget to follow us everywhere to keep yourself updated and sharpen your skills in Linux.
Also, if you have questions or queries related to this topic, feel free to ask them in the comment section.
Till then, sayanora!
Join The Conversation
Users are always welcome to leave comments about the articles, whether they are questions, comments, constructive criticism, old information, or notices of typos. Please keep in mind that all comments are moderated according to our comment policy.