LinuxCommandLibrary

utmpdump

Dump utmp/wtmp files into human-readable format

TLDR

Dump the /var/log/wtmp file to stdout as plain text

$ utmpdump [/var/log/wtmp]
copy

Load a previously dumped file into /var/log/wtmp
$ utmpdump [[-r|--reverse]] [dumpfile] > [/var/log/wtmp]
copy

SYNOPSIS

utmpdump [options] [file]

PARAMETERS

-a, --all
    Dump all fields, including those that are usually omitted for brevity.

-i, --input
    Specify the input file to dump instead of the default `/var/run/utmp` or `/var/log/wtmp`.

-o, --output-format
    Specify the output format: 'text' (default), 'json', or 'xml'.

-r, --raw
    Dump the raw binary data of the utmp/wtmp records.

-t, --terse
    Produce a more concise output format.

-V, --version
    Display version information and exit.

-h, --help
    Display help information and exit.

file
    The file to dump, usually `/var/run/utmp` or `/var/log/wtmp`.

DESCRIPTION

utmpdump is a command-line utility in Linux used to display the contents of `utmp` and `wtmp` files in a human-readable format.

The `utmp` file records information about currently logged-in users, including their username, terminal, login time, and host. The `wtmp` file maintains a historical log of all logins, logouts, system reboots, and other system events.

`utmpdump` parses the binary data in these files and presents it in a structured output. This output typically includes fields such as the record type (e.g., user login, user logout, system boot), username, terminal device, process ID, login time, remote hostname (if applicable), and other relevant information. It helps administrators and users to examine user activity on the system and analyze login history for debugging or auditing purposes.

It is particularly useful for forensic analysis or monitoring of system activity. Without options the command shows the content of `/var/run/utmp`.

CAVEATS

The utmp and wtmp files can be easily manipulated, so the information provided by utmpdump should not be solely relied upon for security-critical tasks.

FILE LOCATIONS

`/var/run/utmp`: Records currently logged-in users.
`/var/log/wtmp`: Historical log of logins, logouts, and system events.

OUTPUT INTERPRETATION

The output displays user login sessions, system reboots, and other relevant information. Understanding the different record types is crucial for interpreting the data correctly. 'LOGIN_PROCESS' indicates initial login, 'USER_PROCESS' a session with the user, 'DEAD_PROCESS' the end of the session, 'SYSTEM_BOOT' a system reboot.

SEE ALSO

last(1), w(1), who(1), login(1)

Copied to clipboard