utmpdump
Dump utmp/wtmp files into human-readable format
TLDR
Dump the /var/log/wtmp file to stdout as plain text
Load a previously dumped file into /var/log/wtmp
SYNOPSIS
utmpdump [options] [file]
PARAMETERS
-a, --all
Dump all fields, including those that are usually omitted for brevity.
-i, --input
Specify the input file to dump instead of the default `/var/run/utmp` or `/var/log/wtmp`.
-o, --output-format
Specify the output format: 'text' (default), 'json', or 'xml'.
-r, --raw
Dump the raw binary data of the utmp/wtmp records.
-t, --terse
Produce a more concise output format.
-V, --version
Display version information and exit.
-h, --help
Display help information and exit.
file
The file to dump, usually `/var/run/utmp` or `/var/log/wtmp`.
DESCRIPTION
utmpdump is a command-line utility in Linux used to display the contents of `utmp` and `wtmp` files in a human-readable format.
The `utmp` file records information about currently logged-in users, including their username, terminal, login time, and host. The `wtmp` file maintains a historical log of all logins, logouts, system reboots, and other system events.
`utmpdump` parses the binary data in these files and presents it in a structured output. This output typically includes fields such as the record type (e.g., user login, user logout, system boot), username, terminal device, process ID, login time, remote hostname (if applicable), and other relevant information. It helps administrators and users to examine user activity on the system and analyze login history for debugging or auditing purposes.
It is particularly useful for forensic analysis or monitoring of system activity. Without options the command shows the content of `/var/run/utmp`.
CAVEATS
The utmp and wtmp files can be easily manipulated, so the information provided by utmpdump should not be solely relied upon for security-critical tasks.
FILE LOCATIONS
`/var/run/utmp`: Records currently logged-in users.
`/var/log/wtmp`: Historical log of logins, logouts, and system events.
OUTPUT INTERPRETATION
The output displays user login sessions, system reboots, and other relevant information. Understanding the different record types is crucial for interpreting the data correctly. 'LOGIN_PROCESS' indicates initial login, 'USER_PROCESS' a session with the user, 'DEAD_PROCESS' the end of the session, 'SYSTEM_BOOT' a system reboot.