The “utmp”, “wtmp”, and “btmp” files are log files in Linux that are utilized to keep track of system events related to user logins and logouts. These files are located in the “/var/run or /var/log” directory and are utilized by various system utilities to display login and logout information in the terminal.
This article will explain the “utmp”, “wtmp”, and “btmp” files along with functionalities in Linux.
- Purpose of utmp File in Linux
- Commands Associated With the utmp File
- Purpose of wtmp File in Linux
- Commands Associated With the wtmp File
- Purpose of btmp File in Linux
- Commands Associated With the btmp File
Purpose of utmp File
The “utmp” file stores information about currently logged-in users. It includes the username, terminal info, and login time.
The file is updated whenever a user logs in or out of the system and is used by programs like the who command to display a list of currently logged-in users. The utmp file is also used by other programs, like the login command to determine if a user is currently logged in and to prevent multiple logins from the same user.
Commands Associated With the utmp File
Here, we will list the commands that use the utmp file to fetch the information:
| Commands | Information Retrieved |
|---|---|
| last | Shows a list of all users who have logged in and out of the system, as well as the time and date of their last login. |
| w | Shows a list of all users who are currently logged in, their terminal, login time, and the command they are currently running. |
| who | Shows a list of all users currently logged in, as well as their terminal and login time. |
| utmpdump | Dumps the contents of the utmp file in a human-readable format. |
| utmpgrep | Greps the contents of the utmp file for specific users or terminals. |
| utmpwatch | Continuously watches the utmp file and displays changes in real time. |
Purpose of wtmp File
The “wtmp” file is a historical log of all logins and logouts on the system. It keeps track of the same information as the utmp file, but it also stores information about past logins and logouts. This file is updated every time a user logs in or out of the system and is used by programs like the “last” command to display a list of recent logins. This file can be used for auditing and troubleshooting purposes.
Commands Associated With the wtmp File
Here, we will list the commands that use the wtmp file to fetch the information:
| Commands | Information Retrieved |
|---|---|
| last | This command reads the wtmp file and displays a list of recent login and logout entries, along with the user who logged in, the time of the login, and the host from which the user logged in. |
| lastlog | This command also reads the wtmp file and displays the last login time for all users on the system. |
| ac | This command generates statistics on user connect time by reading the wtmp file. |
| faillog | This command shows the number of failed login attempts per user and reads the wtmp file. |
Purpose of btmp File
The “btmp” file is similar to the “wtmp” file, but it keeps track of failed login attempts. This file is updated whenever a user enters an incorrect password or any other authentication failure. The file stores the same information as the wtmp file, including the “username”, “terminal”, and “login time”.
This file is used by programs like the “lastb” command to display a list of recent failed login attempts. This file can detect and prevent unauthorized access to the system. Like, it monitors the failed login attempts from a specific user account:
Commands Associated With the btmp File
Here, we will list the commands that use the btmp file to fetch the information:
| Commands | Information Retrieved |
|---|---|
| lastb | Displays a list of failed login attempts recorded in the /var/log/btmp file. |
| ac | Displays the number of failed login attempts recorded in the /var/log/btmp file. |
| tac | Displays the failed login attempts recorded in the /var/log/btmp file in reverse chronological order. |
| wtmp | Used to write the information in /var/log/btmp file. |
Conclusion
Linux offers the “utmp” file that stores the information of currently logged-in users. The “wtmp” file stores the historical log of all logins and logouts. The third file, named “btmp”, stores the information on failed login attempts. This article has briefly explained “utmp”, “wtmp”, and “btmp” files in Linux.
