utmpdump: Dump UTMP and WTMP Files in Raw Format

Login attempts can be tracked in real time with the following command:

/bin/utmpdump -f /var/log/btmp

I received a Logwatch email reporting a “corruption detected in /var/log/btmp : XX time(s)” issue. By performing an Internet search for the reported issue, I found Gabriel Cánepa’s How to Monitor User Login History on CentOS with utmpdump. Cánepa describes utmpdump in depth and the fields in each utmpdump line entry.

The eight fields emitted by utmpdump are:

  1. session identifier
  2. PID
  3. “~~” (runlevel change) | “bw” (bootwait process) | TTY | PTY
  4. empty | username | reboot | runlevel
  5. TTY | PTY
  6. remote hostname | kernel version
  7. remote IP address
  8. timestamp
Questions, comments, and responses are welcomed and appreciated.

Leave a Reply