UTMP Log Data

UTMP data will contain the data for currently logged in users reported typically under /var/run/utmp. The UTMP file will reveal logged in users and locations where they logged in from on the host. This file only shows active users the system thinks are logged in with an interactive shell.

The data here shows not only the logged in date, but if available the previous entry date which can be used to help bracket times in the event the log file was tampered with to hide activity.

{
    "entry_number": 0,
    "type": 0,
    "type_name": "",
    "pid": 0,
    "device": "",
    "id": "",
    "username": "",
    "hostname": "",
    "exit_status": {
        "termination": 0,
        "exit": 0
    },
    "session": 0,
    "date": {
        "created": "",
        "created_previous_entry": "",
        "created_minutes": 0
    },
    "ip_address": "",
    "reserved": ""
}

Did this page help you?