2017-12-26

What is wtmp.



When I was tracing a linux reboot time, found a line of log as below:

wtmp begins Mon Nov 27 09:12:36 2017
Commands I used:

last -f /var/log/wtmp
last -f /var/log/wtmp.1 



Reference URL#1: https://serverfault.com/questions/80939/how-to-find-who-was-logged-in-before-beginning-of-wtmp

Presumably your wtmp file has been rotated, so try last -f /var/log/wtmp.1 or last -f /var/log/wtmp.0 to read the previous files. If those don't work, ls /var/log/wtmp* and see if they're called something else. If they're compressed (.gz extension), decompress 'em.
If they're not there, find whoever setup the bollocks rotation scheme and give them a solid foot-punch to the pantaloons. There's no reason not to keep at least a few weeks' of wtmp logs.


Reference URL#2: https://www.linuxnix.com/read-view-utmp-wtmp-btmp-file-linuxunix/




VIEW UTMP, WTMP AND BTMP FILES

In Linux/Unix operating systems everything is logged some where. Most of the system logs are logged in to /var/log folder. This folder contains logs related to different services and applications. In this folder we have some files such as utmp, wtmp and btmp. These files contains all the details about login’s and logout’s which are from local as well as from remote systems and system status such as uptime etc.
Some info about utmp, wtmp and btmp 
  • utmp will give you complete picture of users logins at which terminals, logouts, system events and current status of the system, system boot time (used by uptime) etc.
  • wtmp gives historical data of utmp.
  • btmp records only failed login attempts.







No comments:

Post a Comment