HomeDocumentationAPI Reference
Log In
Documentation

(U|W|B)TMP Log Data

The trio of log data from utmp, wtmp, and btmp files that contain user login information.

UTMP data will contain the data for currently logged in users reported typically under /var/run/utmp. The UTMP file will reveal logged in users and locations where they logged in from on the host. This file only shows active users the system thinks are logged in with an interactive shell.

WTMP data will contain the data for current and past logged in users reported typically under /var/log/wtmp. The WTMP file will reveal current and past logged in users and locations where they logged in from on the host.

BTMP data will contain the data for bad login attempts under /var/run/btmp. The BTMP file will reveal invalid login attempts and where they originated.

The data here, shared between all three log types, shows not only the logged in date, but if available the previous entry date which can be used to help bracket times in the event the log file was tampered with to hide activity.

{
	"entry_number": 0,
	"type": 0,
	"type_name": "",
	"pid": 0,
	"device": "",
	"id": "",
	"username": "",
	"hostname": "",
	"exit_status": {
		"termination": 0,
		"exit": 0
	},
	"session": 0,
	"date": {
		"created": "",
		"created_previous_entry": "",
		"created_minutes": 0
	},
	"ip_address": "",
	"reserved": ""
}

Updated about 1 month ago