View utmp, wtmp and btmp files

In Linux/Unix operating systems everything is logged some where. Most of the system logs are logged in to /var/log folder. This folder contains logs related to different services and applications. In this folder we have some files such as utmp, wtmp and btmp. These files contains all the details about login’s and logout’s which are from local as well as from remote systems and system status such as uptime etc.

Some info about utmp, wtmp and btmp

• utmp will give you complete picture of users logins at which terminals, logouts, system events and current status of the system, system boot time (used by uptime) etc.
• wtmp gives historical data of utmp.
• btmp records only failed login attempts.

Normally when we try to view these files using cat command or vi editor they used to throw some junk characters and garbage values or in encrypted form or hex values. The output of these files when open with vi or cat command are shown below to show how wtmp file look when opened with vi.

This is totally unreadable, then how we can read this file?

We can read this file with only last command. last command is one of the important command which will give you how logged in, when they logged in and when they logged out etc info on the screen.

My last command output.

root@linuxnix:~# last

surendra pts/1 :0 Mon Oct 1 19:11 still logged in 
surendra pts/2 :0 Mon Oct 1 18:40 – 19:11 (00:30) 
reboot system boot 3.2.0-30-generic Mon Oct 1 18:39 – 19:12 (00:32) 
surendra pts/1 :0 Mon Oct 1 18:34 – 18:39 (00:05) 
reboot system boot 3.2.0-30-generic Mon Oct 1 18:33 – 18:39 (00:05) 
surendra pts/1 :0 Mon Oct 1 18:31 – 18:32 (00:01) 
reboot system boot 3.2.0-30-generic Mon Oct 1 18:30 – 18:39 (00:09) 
surendra pts/1 :0 Mon Oct 1 13:29 – 18:27 (04:57) 
root pts/1 203.217.144.12 Mon Oct 1 13:13 – 13:13 (00:00) 
reboot system boot 3.2.0-30-generic Mon Oct 1 12:08 – 18:29 (06:20) 
reboot system boot 3.2.0-30-generic Mon Oct 1 12:04 – 12:08 (00:03) 
surendra pts/1 :0 Mon Oct 1 10:34 – down (01:12) 
reboot system boot 3.2.0-30-generic Mon Oct 1 10:33 – 11:46 (01:12)

This last command display many details about user login/logout activity. The same command can be used to view wtmp, utmp and btmp files.

To open wtmp file and view its content use blow command

last -f /var/log/wtmp

To see still logged in users view utmp file use last command

last -f /var/run/utmp

To view btmp file use same command

last -f /var/log/btmp

Sample output of last -f wtmp command output.

last -f wtmp.1

root pts/1 ae.ptr10.public. Sun Sep 30 13:01 – 13:11 (00:10) 
surendra pts/1 :0 Sun Sep 30 09:23 – 10:55 (01:32) 
reboot system boot 3.2.0-30-generic Sun Sep 30 07:36 – 20:12 (1+12:36) 
reboot system boot 3.2.0-30-generic Sat Sep 29 21:56 – 01:19 (03:23) 
surendra pts/1 :0 Sat Sep 29 09:36 – 14:37 (05:01)

<–output clipped here–>
reboot system boot 3.2.0-30-generic Fri Sep 28 22:51 – 14:37 (15:46) 
reboot system boot 3.2.0-30-generic Fri Sep 28 21:39 – 21:45 (00:05) 
reboot system boot 3.2.0-29-generic Sat Sep 1 22:53 – 23:07 (00:14)

wtmp.1 begins Sat Sep 1 18:28:10 2012