Home / server / Questions / 584733
Accepted
osgx
Asked: 2014-03-27 10:32:43 +0800 CST

Decode all records from wtmp

  • 772

The Linux log /var/log/wtmp according to the man page http://linux.die.net/man/5/wtmp stores "utmp" events for many system events, like logging into it (LOGIN_PROCESS ut_type), changing runlevel (RUN_LVL ut_type) and other.

There is last utility, which parses wtmp and prints who was logged into the system, and when it was rebooted.

Is there tool to display other records from wtmp log?

What is the process which writes info into wtmp log?

linux

2 Answers

  1. You should look at the audit log instead.

    Try using ausearch, it offers what utmp does and more.

    • 1
  2. Best Answer

    There are several simple perl parsers for wtmp files, like wtmp.pl by "Brocade Blue"

    http://brocadeblue.blogspot.com/2012/10/perl-script-to-parse-wtmp-logs.html

    Full source of wtmp.pl with minor typos fixed:

    #!/usr/bin/perl
@type = (
    "Empty", "Run Lvl", "Boot", "New Time", "Old Time", "Init",
    "Login", "Normal",  "Term", "Account"
);
$recs = "";
while (<>) { 
    $recs .= $_;
}
foreach ( split( /(.{384})/s, $recs ) ) {
    next if length($_) == 0 ;
    my ( $type, $pid, $line, $inittab, $user, $host, $t1, $t2, $t3, $t4, $t5 ) =
      $_ =~ /(.{4})(.{4})(.{32})(.{4})(.{32})(.{256})(.{4})(.{4})(.{4})(.{4})(.{4})/s;
    if ( defined $line && $line =~ /\w/ ) {  ##FILTER
        $line =~ s/\x00+//g;
        $host =~ s/\x00+//g;
        $user =~ s/\x00+//g;
        printf(
            "%s %-8s %-12s %10s %-45s \n",
            scalar( gmtime( unpack( "I4", $t3 ) ) ),
            $type[ unpack( "I4", $type ) ],
            $user,   $line,   $host
        );
    }
}
printf "\n"

    The script may not work on 64-bit machines. The "384" and long line with (.{4}) should be fixed for 64-bit environment.

    PS: to see really all records, disable the expression in the if marked with "##FILTER".

    • 1