:man| Alphabetical   Categories   About us 
UTMP (5) | File formats and conventions | Unix Manual Pages | :man


utmp, wtmp, lastlog - login records


See Also


.In sys/types.h
.In utmp.h


The file
.In utmp.h declares the structures used to record information about current users in the file utmp, logins and logouts in the file wtmp, and last logins in the file lastlog. The time stamps of date changes, shutdowns and reboots are also logged in the wtmp file.
#define _PATH_UTMP "/var/run/utmp"
#define _PATH_WTMP "/var/log/wtmp"
#define _PATH_LASTLOG "/var/log/lastlog"

#define UT_NAMESIZE16
#define UT_LINESIZE8
#define UT_HOSTSIZE16

struct lastlog {
int32_t ll_time; /* When user logged in */
char ll_line[UT_LINESIZE]; /* Terminal line name */
char ll_host[UT_HOSTSIZE]; /* Host user came from */

struct utmp {
char ut_line[UT_LINESIZE]; /* Terminal line name */
char ut_name[UT_NAMESIZE]; /* User’s login name */
char ut_host[UT_HOSTSIZE]; /* Host user came from */
int32_t ut_time; /* When user logged in */

The lastlog file is a linear array of
.Vt lastlog structures indexed by a user’s UID. The utmp file is a linear array of
.Vt utmp structures indexed by a terminal line number (see ttyslot(3)). The wtmp file consists of
.Vt utmp structures and is a binary log file, that is, grows linearly at its end.

By default, each time a user logs in, the pam_lastlog(8) program looks up the user’s UID in the file lastlog. If it is found, the timestamp of the last time the user logged in, the terminal line and the hostname are written to the standard output. The pam_lastlog(8) program then records the new login time in the file lastlog.

After the new
.Vt lastlog record is written, the file utmp is opened and the
.Vt utmp record for the user is inserted. This record remains there until the user logs out at which time it is deleted. The utmp file is used by the programs rwho(1), users(1), w(1), and who(1).

Next, the pam_lastlog(8) program opens the file wtmp, and appends the user’s
.Vt utmp record. The user’s subsequent logout from the terminal line is marked by a special
.Vt utmp record with ut_line set accordingly, ut_time updated, but ut_name and ut_host both empty (see init(8)). The wtmp file is used by the programs last(1) and ac(8).

In the event of a date change, a shutdown or reboot, the following items are logged in the wtmp file.

A system reboot or shutdown has been initiated. The character ‘~’ is placed in the field ut_line, and reboot or shutdown in the field ut_name (see shutdown(8) and reboot(8)).

date The system time has been manually or automatically updated (see date(1)). The command name date is recorded in the field ut_name. In the field ut_line, the character ‘|’ indicates the time prior to the change, and the character ‘{’ indicates the new time.


The wtmp file can grow rapidly on busy systems, so daily or weekly rotation is recommended. It is maintained by newsyslog(8).

If any one of these files does not exist, it is not created by pam_lastlog(8). The files must be created manually.

The supplied login(3), logout(3), and logwtmp(3) utility functions should be used to perform the standard actions on the utmp and wtmp files in order to maintain the portability across systems with different formats of those files.


/var/run/utmp The utmp file.
/var/log/wtmp The wtmp file.
/var/log/lastlog The lastlog file.


last(1), w(1), who(1), login(3), logout(3), logwtmp(3), ttyslot(3), ac(8), init(8), pam_lastlog(8)


Created by Blin Media, 2008-2013