Login Records (utmp, wtmp, failedlogin)
User logins under AIX are recorded in the files /etc/utmp and /var/adm/wtmp. Incorrect login attempts also in the file /etc/security/failedlogin. However, these files do not use ASCII format, but save the data in binary form. Each entry in these files is a utmp structure (defined in /usr/include/utmp.h). The content of the files can therefore not simply be displayed with an editor or the cat(1) command.
The entries in these log files are made by programs such as init(1), getty(1), login(1) and sshd(8). Entries for currently logged in users can be found in /etc/utmp (and /var/adm/wtmp).
There are a number of commands that display information from these log files, such as:
- finger(1) oe f(1): display user information
- last(1): display last logins
- who(1): show currently logged in users
Some of these commands allow to specify a file in utmp format. The command then uses the specified file instead of the default file, often /etc/utmp.
In addition to user logins, some other events are recorded in the log files /etc/utmp and /var/adm/wtmp:
- Starting processes with init(1).
- Changing the date or time with the date(1) command.
- Shutting down or rebooting the system.
- Changing the time by timed(1).