When a user logs in what files are updated in UNIX / Linux

One of our regular reader asks:

I’d like to discover information about who is currently using the system. When a user logs in what files are updated in UNIX / Linux?

Linux / UNIX have utmp and wtmp files to keep login records. Following three files keeps track of all logins and logouts to the system.

=> /var/run/utmp : List of current login sessions.
=> /var/log/wtmp : Database of past user logins / previous login sessions.
=> /var/log/lastlog : Last logins information about users

How do I access login records files?

These are a binary log files, and grows linearly at its end. So you cannot view records using cat or other text based utilities. The file <utmp.h> declares the structures used to record information about current users in the file. This can be accessed using C programs or other specialized utilities:

• The utmp file is used and accessed by the following commands:
  • users command to print the user names of users currently logged in to the current host
  • w command to display who is logged in and what they are doing
  • who command to find out who is logged in
• The wtmp file is used and accessed by the following command:
  • last command to find system last reboot date and time
  • ac command to keep a detailed audit trail of what’s being done on your Linux systems

Suggested readings:

• Man pages - ac(1), date(1), last(1), login(1), who(1), getutent(3), updwtmp(3), init(8), wtmp(5)
• Header file /usr/include/utmp.h

Featured Articles:

• 20 Linux System Monitoring Tools Every SysAdmin Should Know
• 20 Linux Server Hardening Security Tips
• Linux: 20 Iptables Examples For New SysAdmins
• My 10 UNIX Command Line Mistakes
• 25 PHP Security Best Practices For Sys Admins
• The Novice Guide To Buying A Linux Laptop
• Top 5 Email Client For Linux, Mac OS X, and Windows Users
• Top 20 OpenSSH Server Best Security Practices
• Top 10 Open Source Web-Based Project Management Software