/var/log/btmp: Explanation & Insights

Contains logs of unsuccessful login attempts

The file /var/log/btmp is a binary file that records unsuccessful login attempts. This file is an important part of the Linux logging system and is essential for system administrators to monitor and identify unauthorized login attempts – potentially indicating a security threat such as a brute force attack.

Understanding the Contents of /var/log/btmp

This file contains the details of failed login attempts. Each record includes the username attempted, the time of the attempt, and the terminal where the attempt was made. The data is stored in a binary format that is not easily readable with standard text editors.

Importance of /var/log/btmp

Monitoring /var/log/btmp is crucial for maintaining system security. By tracking failed login attempts, system administrators can potentially identify patterns or repeated attempts from the same source, which could signify a security threat. Ensuring this file is regularly checked can help promptly detect and respond to such threats.

Reading /var/log/btmp

To read the contents of this file, you use a command called lastb. This command reads from the /var/log/btmp file and formats the data into a human-readable format.


This will output the unsuccessful login attempts in reverse chronological order.

Common Problems and their Diagnosis

By analyzing the /var/log/btmp file, you can solve or diagnose various problems, especially those related to security issues. For instance:

  1. Repeated Failed Login Attempts: If you notice a high frequency of failed login attempts from a particular IP address or for a specific user, this could indicate a brute force attack.

  2. Unusual Login Attempts: If you see failed login attempts at odd hours or during a period when no users should be logging in, this could suggest a potential security breach attempt.

Example of /var/log/btmp Usage

Let's say you want to check if there were any failed login attempts in the last week. You can use the lastb command with the -s option followed by the period you want to check.

lastb -s 7days

This will show all unsuccessful attempts in the last seven days.


The /var/log/btmp file is a powerful tool for monitoring and maintaining the security of your Linux server. Regularly checking this file should be a part of your routine system checks to ensure the integrity of your server. This file, along with other log files such as /var/log/auth.log, provides a comprehensive view of the activities on your server. By understanding and correctly interpreting these files, you can proactively manage and resolve potential security issues.

Except where otherwise noted, content on this site is licensed under a CC BY-SA 4.0 license CC BY SA