How to monitor user login history on CentOS with utmpdump

Last updated on September 22, 2014 Authored by Gabriel Cánepa
Leave a comment

Keeping, maintaining and analyzing logs (i.e., accounts of events that have happened during a certain period of time or are currently happening) are among the most basic and essential tasks of a Linux system administrator. In case of user management, examining user logon and logout logs (both failed and successful) can alert us about any potential security breaches or unauthorized use of our system. For example, remote logins from unknown IP addresses or accounts being used outside working hours or during vacation leave should raise a red flag.

On a CentOS system, user login history is stored in the following binary files:

  • /var/run/utmp (which logs currently open sessions) is used by who and w tools to show who is currently logged on and what they are doing, and also by uptime to display system up time.
  • /var/log/wtmp (which stores the history of connections to the system) is used by last tool to show the listing of last logged-in users.
  • /var/log/btmp (which logs failed login attempts) is used by lastb utility to show the listing of last failed login attempts.


In this post I'll show you how to use utmpdump, a simple program from the sysvinit-tools package that can be used to dump these binary log files in text format for inspection. This tool is available by default on stock CentOS 6 and 7. The information gleaned from utmpdump is more comprehensive than the output of the tools mentioned earlier, and that's what makes it a nice utility for the job. Besides, utmpdump can be used to modify utmp or wtmp, which can be useful if you want to fix any corrupted entries in the binary logs.

How to Use Utmpdump and Interpret its Output

As we mentioned earlier, these log files, as opposed to other logs most of us are familiar with (e.g., /var/log/messages, /var/log/cron, /var/log/maillog), are saved in binary file format, and thus we cannot use pagers such as less or more to view their contents. That is where utmpdump saves the day.

In order to display the contents of /var/run/utmp, run the following command:

# utmpdump /var/run/utmp

To do the same with /var/log/wtmp:

# utmpdump /var/log/wtmp

and finally with /var/log/btmp:

# utmpdump /var/log/btmp

As you can see, the output formats of three cases are identical, except for the fact that the records in the utmp and btmp are arranged chronologically, while in the wtmp, the order is reversed.

Each log line is formatted in multiple columns described as follows. The first field shows a session identifier, while the second holds PID. The third field can hold one of the following values: ~~ (indicating a runlevel change or a system reboot), bw (meaning a bootwait process), a digit (indicates a TTY number), or a character and a digit (meaning a pseudo-terminal). The fourth field can be either empty or hold the user name, reboot, or runlevel. The fifth field holds the main TTY or PTY (pseudo-terminal), if that information is available. The sixth field holds the name of the remote host (if the login is performed from the local host, this field is blank, except for run-level messages, which will return the kernel version). The seventh field holds the IP address of the remote system (if the login is performed from the local host, this field will show 0.0.0.0). If DNS resolution is not provided, the sixth and seventh fields will show identical information (the IP address of the remote system). The last (eighth) field indicates the date and time when the record was created.

Usage Examples of Utmpdump

Here are a few simple use cases of utmpdump.

1. Check how many times (and at what times) a particular user (e.g., gacanepa) logged on to the system between August 18 and September 17.

# utmpdump /var/log/wtmp | grep gacanepa

If you need to review login information from prior dates, you can check the wtmp-YYYYMMDD (or wtmp.[1...N]) and btmp-YYYYMMDD (or btmp.[1...N]) files in /var/log, which are the old archives of wtmp and btmp files, generated by logrotate.

2. Count the number of logins from IP address 192.168.0.101.

# utmpdump /var/log/wtmp | grep 192.168.0.101

3. Display failed login attempts.

# utmpdump /var/log/btmp

In the output of /var/log/btmp, every log line corresponds to a failed login attempt (e.g., using incorrect password or a non-existing user ID). Logon using non-existing user IDs are highlighted in the above impage, which can alert you that someone is attempting to break into your system by guessing commonly-used account names. This is particularly serious in the cases when the tty1 was used, since it means that someone had access to a terminal on your machine (time to check who has keys to your datacenter, maybe?).

4. Display login and logout information per user session.

# utmpdump /var/log/wtmp

In /var/log/wtmp, a new login event is characterized by '7' in the first field, a terminal number (or pseudo-terminal id) in the third field, and username in the fourth. The corresponding logout event will be represented by '8' in the first field, the same PID as the login in the second field, and a blank terminal number field. For example, take a close look at PID 1463 in the above image.

  • On [Fri Sep 19 11:57:40 2014 ART] the login prompt appeared in tty1.
  • On [Fri Sep 19 12:04:21 2014 ART], user root logged on.
  • On [Fri Sep 19 12:07:24 2014 ART], root logged out.

On a side note, the word LOGIN in the fourth field means that a login prompt is present in the terminal specified in the fifth field.

So far I covered somewhat trivial examples. You can combine utmpdump with other text sculpting tools such as awk, sed, grep or cut to produce filtered and enhanced output.

For example, you can use the following command to list all login events of a particular user (e.g., gacanepa) and send the output to a .csv file that can be viewed with a pager or a workbook application, such as LibreOffice's Calc or Microsoft Excel. Let's display PID, username, IP address and timestamp only:

# utmpdump /var/log/wtmp | grep -E "\[7].*gacanepa" | awk -v OFS="," 'BEGIN {FS="] "}; {print $2,$4,$7,$8}' | sed -e 's/\[//g' -e 's/\]//g'

As represented with three blocks in the image, the filtering logic is composed of three pipelined steps. The first step is used to look for login events ([7]) triggered by user gacanepa. The second and third steps are used to select desired fields, remove square brackets in the output of utmpdump, and set the output field separator to a comma.

Of course, you need to redirect the output of the above command to a file if you want to open it later (append "> [name_of_file].csv" to the command).

In more complex examples, if you want to know what users (as listed in /etc/passwd) have not logged on during the period of time, you could extract user names from /etc/passwd, and then run grep the utmpdump output of /var/log/wtmp against user list. As you see, possibility is limitless.

Before concluding, let's briefly show yet another use case of utmpdump: modify utmp or wtmp. As these are binary log files, you cannot edit them as is. Instead, you can export their content to text format, modify the text output, and then import the modified content back to the binary logs. That is:

# utmpdump /var/log/utmp > tmp_output
<modify tmp_output using a text editor>
# utmpdump -r tmp_output > /var/log/utmp

This can be useful when you want to remove or fix any bogus entry in the binary logs.

To sum up, utmpdump complements standard utilities such as who, w, uptime, last, lastb by dumping detailed login events stored in utmp, wtmp and btmp log files, as well as in their rotated old archives, and that certainly makes it a great utility.

Feel free to enhance this post with your comments.

utmp的更多相关文章

  1. Linux 日志文件utmp、wtmp、lastlog、messages

            1.有关当前登录用户的信息记录在文件utmp中:==who命令 2.登录进入和退出纪录在文件wtmp中:==w命令 3.最后一次登录文件可以用lastlog命令察看: 4.messag ...

  2. utmp, wtmp, and lastlog 日志清除工具

    utmp, wtmp, and lastlog 日志清除工具 http://blog.itpub.net/83980/viewspace-801664/

  3. /var/run/utmp文件操作函数

    相关函数:getutent, getutid, getutline, setutent, endutent, pututline, utmpname utmp 结构定义如下:struct utmp{  ...

  4. Linux日志文件utmp、wtmp、lastlog、messages

            1.有关当前登录用户的信息记录在文件utmp中:==who命令 2.登录进入和退出纪录在文件wtmp中:==w命令 3.最后一次登录文件可以用lastlog命令察看: 4.messag ...

  5. 登陆记录utmp wtmp

    /var/log/wtmp文件的作用     /var/log/wtmp也是一个二进制文件,记录每个用户的登录次数和持续时间等信息.   查看方法:   可以用last命令输出当中内容: debian ...

  6. linux c 操作utmp 和 wtmp 文件接口

    /var/run/utmp 保存当前在本系统中的用户信息 /var/log/wtmp 保存登陆过本系统的用户信息 他们保存的信息是基于结构体 struct utmp 的(/usr/include/bi ...

  7. struct utmp

    utmp结构体定义如下: structutmp { short int ut_type; // 登录类型 pid_t ut_pid; // login进程的pid char ut_line[UT_LI ...

  8. [转帖]Linux日志文件utmp、wtmp、lastlog、messages

    Linux日志文件utmp.wtmp.lastlog.messages https://www.cnblogs.com/zhuiluoyu/p/6874255.html 1.有关当前登录用户的信息记录 ...

  9. utmp, wtmp - 登 录 记 录(login records)

    SYNOPSIS[总览] #include DESCRIPTION[描述] utmp 文 件 用 于 记 录 当 前 系 统 用 户 是 哪 些 人. 但 是 实 际 的 人 数 可 能 比 这 个 ...

随机推荐

  1. docker 部署 flask(一)配置环境及测试

    简介: flask也是要部署的.不能老在我们的pycharm里面跑测试服务器. 各种配置linux,我看就算了吧.我们用docker部署. 也就两三行命令. 一:选择基础镜像 GitHub repo: ...

  2. python列表[]中括号

    names = ['jack', 'rose', 'tom', 'jerry', 'jerry'] print(names) print(names[0]) names[0] = 'adam' # 改 ...

  3. Maven Spring BOM (bill of materials)

    为了防止用Maven管理Spring项目时,不同的项目依赖了不同版本的Spring,可以使用Maven BOM来解决者一问题. 在依赖管理时,引入spring-framework-bom,如: < ...

  4. 关于Behold the Kickmen (球员登场)

    音乐:『Boring,Boring——』作者浑厚的男中音响起,伴随着劲爆的动感音乐 非同正式却又无伤大雅的规则:足球场是圆形的,而且四周有反弹围墙 加强操作的一些设定: 踢踢人射门蓄力时,时间会静止, ...

  5. WebStrom 多项目展示及vuejs插件安装

    2. Vuejs 插件安装: ① ②

  6. C语言基础:分支语句和常见运算符 分类: iOS学习 c语言基础 2015-06-10 21:44 13人阅读 评论(0) 收藏

    if(判断条件){ 执行语句; }else if(判断条件){ 执行语句; } switch (整型表达式){  case 值1: 执行语句; break; case 值2: 执行语句; break; ...

  7. HDU 2907

    http://acm.hdu.edu.cn/showproblem.php?pid=2907 ans=(凸包顶点数-凸包凹面数量)*q-凸包凹面数量*p 重点在求一个凸包的凹面数量,极角排序过后,当前 ...

  8. 51Nod:活动安排问题之二(贪心)

    有若干个活动,第i个开始时间和结束时间是[Si,fi),同一个教室安排的活动之间不能交叠,求要安排所有活动,最少需要几个室? 输入 第一行一个正整数n (n <= 10000)代表活动的个数. ...

  9. OJ链接

    BNU..好难找..http://www.bnuoj.com

  10. javascript : location 对象

    window.location: window的location对象 window.location.href 整个URl字符串(在浏览器中就是完整的地址栏) window.location.prot ...