utmpdump, utmp, wtmp, btmp

[@] The initial user is logged in on the terminal. Using "su -l" to switch the initial user into something else does not change content of the files.

  • /var/run/utmp

The file is a (binary) sequence of utmp structures (declared in <utmp.h>, details depend on the version of libc). There may be more users currently using the system, because not all programs use utmp logging.

[@] It was noticed, for example, that second (parallel) X/Gnome session did not cause update in utmp file showing user as logged in while wtmp file showed logged out entry for the same session.

  • /var/log/wtmp

The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal.

[@] It was noticed that at least for logouts on a pseudo terminals (pts/N) still contain username while some other fields are nulled to indicate logout (i.e. host and pid).

  • /var/log/btmp

This file list unsuccessful login attempts using the same format and viewable by utmpdump.

