WTMP Log Data

WTMP data will contain the data for current and past logged in users reported typically under /var/log/wtmp. The WTMP file will reveal current and past logged in users and locations where they logged in from on the host.

The data here shows not only the logged in date, but if available the previous entry date which can be used to help bracket times in the event the log file was tampered with to hide activity.

{
    "entry_number": 0,
    "type": 0,
    "type_name": "",
    "pid": 0,
    "device": "",
    "id": "",
    "username": "",
    "hostname": "",
    "exit_status": {
        "termination": 0,
        "exit": 0
    },
    "session": 0,
    "date": {
        "created": "",
        "created_previous_entry": "",
        "created_minutes": 0
    },
    "ip_address": "",
    "reserved": ""
}

Did this page help you?