utmpdump, utmp, wtmp, btmp
[@] The initial user is logged in on the terminal. Using "su -l" to switch the initial user into something else does not change content of the files.
The file is a (binary) sequence of utmp structures (declared in <utmp.h>, details depend on the version of libc). There may be more users currently using the system, because not all programs use utmp logging.
[@] It was noticed, for example, that second (parallel) X/Gnome session did not cause update in utmp file showing user as logged in while wtmp file showed logged out entry for the same session.
The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal.
[@] It was noticed that at least for logouts on a pseudo terminals (pts/N) still contain username while some other fields are nulled to indicate logout (i.e. host and pid).
This file list unsuccessful login attempts using the same format and viewable by utmpdump.