last, wtmp, utmp and btmp login tracking linux
you need to use last in order to view wtmp, utmp etc files...
View utmp, wtmp and btmp files
In Linux/Unix operating systems everything is logged some where. Most of the system logs are logged in to /var/log folder. This folder contains logs related to different services and applications. In this folder we have some files such as utmp, wtmp and btmp. These files contains all the details about login’s and logout’s which are from local as well as from remote systems and system status such as uptime etc.
Some info about utmp, wtmp and btmp
Normally when we try to view these files using cat command or vi editor they used to throw some junk characters and garbage values or in encrypted form or hex values. The output of these files when open with vi or cat command are shown below to show how wtmp file look when opened with vi.
This is totally unreadable, then how we can read this file?
We can read this file with only last command. last command is one of the important command which will give you how logged in, when they logged in and when they logged out etc info on the screen.
My last command output.
surendra pts/1 :0 Mon Oct 1 19:11 still logged in
This last command display many details about user login/logout activity. The same command can be used to view wtmp, utmp and btmp files.
To open wtmp file and view its content use blow command
last -f /var/log/wtmp
To see still logged in users view utmp file use last command
last -f /var/run/utmp
To view btmp file use same command
last -f /var/log/btmp
Sample output of last -f wtmp command output.
last -f wtmp.1
root pts/1 ae.ptr10.public. Sun Sep 30 13:01 – 13:11 (00:10)
<–output clipped here–>
wtmp.1 begins Sat Sep 1 18:28:10 2012