/var/log/wtmp Explained

Contains data about logins

/var/log/wtmp or simply wtmp is a system file in Linux that records all logins and logouts history. This file is located in the /var/log/ directory. It is one of the essential files that come in handy when you need to monitor user activities, troubleshoot user login issues or analyze system usage.

Understanding wtmp

The wtmp file is a binary file, meaning it contains data in a format that a computer can directly use. It contains records for each session initiated by a user, whether through a shell session or a remote login. Each record in the file contains information such as the user ID, terminal name, and login time.

Why is wtmp important?

The wtmp file serves as a reliable tool for system administrators to track user activities and system usage. For instance, if there are unexpected system shutdowns or a network issue, administrators can check the wtmp file to see who was logged in at the time. This information can help diagnose the problem or identify misuse of resources.

Typical problems solved using wtmp

If your Linux server experiences repeated unexpected shutdowns, analyzing the wtmp file can aid in diagnosing the problem. By checking who was logged in at the time of each shutdown, you can identify patterns or specific users associated with the crashes.

How to use wtmp

Since wtmp is a binary file, you can't read it directly using a text editor. Instead, you should use the last command to read the file. Here's an example:

last -f /var/log/wtmp

This command will display a list of all logins and logouts recorded in the wtmp file.

Interpreting wtmp content

The output of the last command will look something like this:

root     pts/0        192.168.1.12     Thu Feb 24 10:17   still logged in
reboot   system boot  4.15.0-45-generic Thu Feb 24 10:15   still running
root     pts/0        192.168.1.12     Wed Feb 23 12:00 - crash  (21:14)

Each line represents a session. From left to right, you can see the username, terminal ID, IP address (or hostname), login time and duration.

Cleaning wtmp

Over time, the wtmp file can become large and take up valuable disk space. It's a good practice to clean it periodically. However, never delete the file as it will not be recreated automatically. Instead, truncate it using this command:

cat /dev/null > /var/log/wtmp

This command will empty the wtmp file while keeping it in the system.

Conclusion

The /var/log/wtmp file is a powerful tool for monitoring user activity and diagnosing issues on your Linux server. Understanding how to read and use this file can greatly enhance your ability to manage and troubleshoot your system.

Except where otherwise noted, content on this site is licensed under a CC BY-SA 4.0 license CC BY SA