If the date and/or time is set on a system with the date(1) command, this is also recorded in /etc/utmp and /var/adm/wtmp. Two utmp records are always logged in this case. The first utmp entry uses type 3 (OLD_TIME) and the second entry uses type 4 (NEW_TIME).

To demonstrate, let’s change the time on a test system:

# date
Thu Jan 13 15:59:29 CET 2022
# date 01131558
Thu Jan 13 15:58:53 CET 2022
# 

The entries generated are:

# /usr/sbin/acct/fwtmp </etc/utmp |grep time
                        old time      3     0 0000 0000 1642085993                                  Thu Jan 13 15:59:53 2022
                        new time      4     0 0000 0000 1642085933                                  Thu Jan 13 15:58:53 2022
# 

The time was changed at 15:59:53 (type 3 entry “old time“) and was set to the new time 15:58:53 (type 4 entry “new time“).

This can also be displayed with the who(1) command and the ‘-t‘ option:

# who -t
   .        old time    Jan 13 15:59                    
   .        new time    Jan 13 15:58                    
# 

If the time is changed again, the type 3 and 4 entries in /etc/utmp are reused. However, in /var/adm/wtmp additional entries are added.