This article focuses on three Linux Files: utmp, wtmp, and btmp. Recording is a crucial part in any Linux-based operating system. Records of logins and logouts into the system as well as failed attempts at logins are maintained. In this article, we will explain the binary file that is in charge of keeping the records of the logins, logouts, and bad/failed login attempts. The purpose of these records is to provide the Linux operating system and application with a timeline or an outline of the circumstances that may lead to solutions for any troubleshooting problems that may occur. These records are all logged into the three files in Linux.
What Are Utmp, Wtmp, and Btmp Files in Linux?
The utmp, wtmp, and btmp are specific binary files that record the logins, logouts, and login attempts on your Linux system. When we use a specific command, it help us find the history of who logged in, when they logged in which includes the day, date, and time stamp, and from where someone has logged into the Linux system which includes which server was used and the location of the terminal through which the user accessed the system.
Utmp File
The “u” in utmp stands for user as it logs information regarding “who” logged onto the system. This log also shows the terminals’ location through which the system was logged in. It is a binary file which manages the users logged into the system and records all the accounts such as the current status of the system, managing and logging users’ logins, logouts, terminals of logins, etc. These files are not simple text files but they are in a binary form and are usually stored at /var/run/utmp.
Example 1:
If we run a “who” command in the terminal, the login information is fetched from /var/run/utmp and then the recorded information such as the current login status, login terminal, logout, etc. See the following image of the mentioned command and how it shows the log:
After we write the “who” command and run it, we get the following result:
Here, the results show us the user’s ID, his login time and date, as well as the ID of the server. These logs are necessary for all Linux operating systems as they help to identify the cause of any problem that may arise.
Wtmp File
The “w” in wtmp stands for “who”, meaning it tells us who the user is and “when” the user logged in and logged out; it is all the history of the user of utmp. The history is found at /var/log/wtmp and it shows all the past recorded data of logins and logouts. As wtmp records all the logged in and logged-out data of the user, it can be said that it preserves or maintains all the actions and commands of utmp. Its command is “w” which fundamentally shows the user’s login details and history.
Example 2:
As we learned that wtmp is basically a record for the utmp file, if we input the command: last –f/var/log/wtmp, it displays the list of logins and logout times and shows the user name and the IP address of the system. Refer to the following screenshot to see how the mentioned command shows the log records:
The following is the output that we get when we give the command to the system:
As it can be seen in the output, when the command is given, it generates the report of system logins and logouts. This output shows the timestamps, days, and dates as well as the status of the system such as whether the user is still logged in, is the system still running or has crashed, has the user logged out or has shut down.
Btmp File
The “b” in btmp is for “bad” as it registers all the bad, failed, or error login attempts. It is similar to the wtmp file as it records and maintains the failed or bad login attempts and is located in the /var/log/btmp. As it records the failed attempts at logins, it can be also used for security purposes. The btmp file is based in /var/log/btmp and it is generated automatically as soon as the system starts up. Sudo privileges are required to access the file and the “lastb” command is to read the files. It can be seen in example 3 that when the lastb command is executed, the system brings up the history of the data that shows the failed or bad login attempts.
Example 3:
The history of the failed login attempts can be viewed by inputting the “lastb” command. This command, when given, shows all the data regarding the failed attempts or bad attempts at logins to the system along with which server was used. The server may be a local one or a remote one depending on the users’ location.
The following is the attached screenshot of the command to view the login attempt records in Linux.
After inputting the command, press enter to execute it. The output of the previous command is as follows:
Here, the output shows the day, date, and time for the login attempt into the system. Btmp is a file that is necessary as it records the failed login attempts. As they are recorded in such details, it helps with security as well.
Conclusion
This article is a short and simple review of the three log files that record the activity in the system in Linux. Here, we discussed and explored the utmp files, wtmp files, and btmp files in Linux. We also learned to differentiate between these three files and what purpose they are used for. These three files hold the data of the logins and logout as well as the records of the location of servers through which a user logged in, whether it’s from the local server or a remote server. With the help of these three files, we can trace any source that may cause the troubleshooting problems. If you are not familiar with these files, this article provides simple and easy explanations for these files to clear up and deepen your concepts. For a better understanding of these concepts, you can also run the commands on your system and see what the output means.