Utmp: Difference between revisions

For the Florida radio station, see WTMP.

utmp, wtmp, btmp and variants such as utmpx, wtmpx and btmpx are files on Unix-like systems that keep track of all logins and logouts to the system

The utmp file keeps track of the current login state of each user. The wtmp file records all logins and logouts history. The btmp file records failed login attempts.

The utmp, wtmp and btmp files were never a part of any official Unix standard, such as Single UNIX Specification, while utmpx and corresponding APIs are part of it.^[1][2]

Format

utmp, wtmp and btmp

• utmp maintains a full accounting of the current status of the system, system boot time (used by uptime), recording user logins at which terminals, logouts, system events etc.
• wtmp acts as a historical utmp
• btmp records failed login attempts

The utmp file is not a text file, but rather a binary format which needs to be edited by specially crafted programs. The implementation and the fields present in the file differ depending of the system or the libc version, and are defined in the utmp.h header file.

The wtmp and btmp format are exactly like utmp except that a null user name indicates a logout on the associated terminal. Furthermore, the terminal name ~ with user name shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names / logs the old/new system time when date changes it.

utmpx, wtmpx and btmpx

Utmpx and wtmpx are extensions to the original utmp and wtmp, originating from Sun Microsystems. Utmpx is specified in POSIX.

While some systems create different files for the utmpx variants and have obsoleted former formats, this is not always the case. Linux for example just defines the utmpx structure to be the same as utmp.

The utmpx database contains user access and accounting information, while wtmpx database contains the history of user access and accounting information.

Location

Depending on the system, those files may commonly be found in different places (non-exhaustive list) :

Linux :

/var/run/utmp
/var/log/wtmp
/var/log/btmp

Solaris:

/var/adm/utmp (deprecated), /var/adm/utmpx
/var/adm/wtmp (deprecated), /var/adm/wtmpx

HP-UX:

/etc/utmp (deprecated), /etc/utmpx
/var/adm/wtmp (deprecated), /var/adm/wtmpx
/var/adm/btmp (deprecated), /var/adm/btmpx

FreeBSD 9.0 introduced new files while adding support for utmpx:

/var/run/utx.active (replaces utmp)
/var/log/utx.lastlogin (replaces lastlog)
/var/log/utx.log (replaces wtmp)

Related commands

Different commands allow to consult the information stored in those files, including who (which show current system users), last (which show last logged in users) and lastb (which show last failed login attempts, Linux-specific).

See also

• lastlog

References

1. http://www.opengroup.org/onlinepubs/009695399/basedefs/utmpx.h.html
2. http://80386.nl/unix/utmpx/

External links

• last(1): indicate last logins of users and ttys – FreeBSD General Commands Manual
• utmp(5): login records – FreeBSD File Formats Manual
• last: login records – Shell and Utilities Reference, The Single UNIX Specification, Version 4 from The Open Group
• utmp(5): login records – Linux Programmer's Manual – File Formats
• last(1): display login and logout information about users and terminals – Solaris 11.4 User Commands Reference Manual
• wtmp(4): utmp and wtmp entry formats – Solaris 11.4 Device and Network Interfaces Reference Manual
• Solaris Trim wtmpx file