BTMP Log Data

BTMP data will contain the data for bad login attempts under /var/run/btmp. The BTMP file will reveal invalid login attempts and where they originated.

The data here shows not only the invalid login date, but if available the previous entry date which can be used to help bracket times in the event the log file was tampered with to hide activity.

{
    "entry_number": 0,
    "type": 0,
    "type_name": "",
    "pid": 0,
    "device": "",
    "id": "",
    "username": "",
    "hostname": "",
    "exit_status": {
        "termination": 0,
        "exit": 0
    },
    "session": 0,
    "date": {
        "created": "",
        "created_previous_entry": "",
        "created_minutes": 0
    },
    "ip_address": "",
    "reserved": ""
}

Did this page help you?