utmp, wtmp, lastlog - login records

CONTENTS

Synopsis
Description
Notes
Files
See Also
History

.In sys/types.h
.In utmp.h

The file
.In utmp.h declares the structures used to record information about current users in the file utmp, logins and logouts in the file wtmp, and last logins in the file lastlog. The time stamps of date changes, shutdowns and reboots are also logged in the wtmp file.

#define _PATH_UTMP      "/var/run/utmp"
#define _PATH_WTMP      "/var/log/wtmp"
#define _PATH_LASTLOG   "/var/log/lastlog"

#define UT_NAMESIZE     16
#define UT_LINESIZE     8
#define UT_HOSTSIZE     16

struct lastlog {
        int32_t ll_time;                /* When user logged in */
        char    ll_line[UT_LINESIZE];   /* Terminal line name */
        char    ll_host[UT_HOSTSIZE];   /* Host user came from */
};

struct utmp {
        char    ut_line[UT_LINESIZE];   /* Terminal line name */
        char    ut_name[UT_NAMESIZE];   /* User’s login name */
        char    ut_host[UT_HOSTSIZE];   /* Host user came from */
        int32_t ut_time;                /* When user logged in */
};

The lastlog file is a linear array of
.Vt lastlog structures indexed by a user’s UID. The utmp file is a linear array of
.Vt utmp structures indexed by a terminal line number (see ttyslot(3)). The wtmp file consists of
.Vt utmp structures and is a binary log file, that is, grows linearly at its end.

By default, each time a user logs in, the pam_lastlog(8) program looks up the user’s UID in the file lastlog. If it is found, the timestamp of the last time the user logged in, the terminal line and the hostname are written to the standard output. The pam_lastlog(8) program then records the new login time in the file lastlog.

After the new
.Vt lastlog record is written, the file utmp is opened and the
.Vt utmp record for the user is inserted. This record remains there until the user logs out at which time it is deleted. The utmp file is used by the programs rwho(1), users(1), w(1), and who(1).

Next, the pam_lastlog(8) program opens the file wtmp, and appends the user’s
.Vt utmp record. The user’s subsequent logout from the terminal line is marked by a special
.Vt utmp record with ut_line set accordingly, ut_time updated, but ut_name and ut_host both empty (see init(8)). The wtmp file is used by the programs last(1) and ac(8).

In the event of a date change, a shutdown or reboot, the following items are logged in the wtmp file.

reboot shutdown
	A system reboot or shutdown has been initiated. The character ‘~’ is placed in the field ut_line, and reboot or shutdown in the field ut_name (see shutdown(8) and reboot(8)).
date	The system time has been manually or automatically updated (see date(1)). The command name date is recorded in the field ut_name. In the field ut_line, the character ‘|’ indicates the time prior to the change, and the character ‘{’ indicates the new time.

The wtmp file can grow rapidly on busy systems, so daily or weekly rotation is recommended. It is maintained by newsyslog(8).

If any one of these files does not exist, it is not created by pam_lastlog(8). The files must be created manually.

The supplied login(3), logout(3), and logwtmp(3) utility functions should be used to perform the standard actions on the utmp and wtmp files in order to maintain the portability across systems with different formats of those files.

/var/run/utmp	The utmp file.
/var/log/wtmp	The wtmp file.
/var/log/lastlog
	The lastlog file.

last(1), w(1), who(1), login(3), logout(3), logwtmp(3), ttyslot(3), ac(8), init(8), pam_lastlog(8)

A utmp and wtmp file format appeared in AT&T v6 . The lastlog file format appeared in BSD 3.0 .

Search for    or go to Top of page |  Section 5 |  Main Index

Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.