Logging is an essential part of the Linux based operating systems. The system maintains logs for activities on the system. Logs of users logged in and logged out are also maintained by the system.
The files '/var/run/utmp' and '/var/log/wtmp' contains logs for logins and logouts. These two files are binary files. You cannot see them with any text editor or pager like 'less'. Some commands use these files for their output.
This file contains information about the users who are currently logged onto the system. Who command uses this file to display the logged in users:
root tty1 2012-12-26 11:53
raghu tty8 2012-12-26 03:00 (:0)
raghu pts/0 2012-12-26 11:02 (:0.0)
According to the utmp manual page
The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging.
This file is like history for utmp file, i.e. it maintains the logs of all logged in and logged out users (in the past). The last command uses this file to display listing of last logged in users.
raghu pts/0 :0.0 Wed Dec 26 11:02 still logged in
raghu tty8 :0 Wed Dec 26 03:00 still logged in
reboot system boot 3.5.0-17-generic Wed Dec 26 03:00 - 11:30 (08:29)
raghu pts/0 :0.0 Wed Dec 26 02:18 - 02:20 (00:01)
raghu tty8 :0 Tue Dec 25 18:36 - down (07:44)
reboot system boot 3.5.0-17-generic Tue Dec 25 18:35 - 02:21 (07:45)
raghu pts/0 :0.0 Tue Dec 25 14:36 - 14:38 (00:02)
raghu pts/0 :0.0 Tue Dec 25 13:33 - 14:14 (00:40)
root pts/0 :0.0 Tue Dec 25 13:25 - 13:25 (00:00)
root pts/0 :0.0 Tue Dec 25 13:23 - 13:23 (00:00)
root pts/0 :0.0 Tue Dec 25 13:21 - 13:21 (00:00)
wtmp begins Mon Nov 5 21:10:35 2012
According to the wtmp manual page
The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal. Furthermore, the terminal name ~ with username shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names |/} logs the old/new system time when date(1) changes it. wtmp is maintained by login(1), init(8), and some versions of getty(8) (e.g., mingetty(8) or agetty(8)). None of these programs creates the file, so if it is removed, record-keeping is turned off.
Another important file related to users logins is '/var/log/btmp'. This file contains bad login attempts. This file is used by 'lastb' command:
raghu tty8 :0 Fri Dec 21 06:36 - 06:36 (00:00)
root tty1 Tue Dec 11 14:14 - 14:14 (00:00)
raghu tty7 :0 Mon Dec 10 18:51 - 18:51 (00:00)
In this tutorial, we learned the difference between utmp vs wtmp files in Linux. I hope you enjoyed reading and please leave your suggestions for our attention.