The files /etc/utmp and /var/adm/wtmp (as well as /etc/security/failedlogin) use the utmp format for storing data records. The definition of the format can be found in the C header file /usr/include/utmp.h:

struct utmp
  {
    char ut_user[256] ;     /* User login name */
    char ut_id[14] ;        /* /etc/inittab id */
    char ut_line[64] ;      /* device name (console, lnxx) */
    pid_t ut_pid ;          /* process id */
    short ut_type ;         /* type of entry */
    time64_t ut_time ;      /* time entry was made */
    struct exit_status
      {
        short e_termination ;   /* Process termination status */
        short e_exit ;      /* Process exit status */
      }
    ut_exit ;           /* The exit status of a process
                     * marked as DEAD_PROCESS.
                     */
    char ut_host[256] ;     /* host name */
    int __dbl_word_pad;     /* for double word alignment */
    int __reservedA[2];
    int __reservedV[6];
  } ;

There are 9 different types of entries. The specific type of a given entry is determined by the ut_type field. The following types are defined (also found in /usr/include/utmp.h):

/*  Definitions for ut_type                     */

#define EMPTY       0
#define RUN_LVL     1
#define BOOT_TIME   2
#define OLD_TIME    3
#define NEW_TIME    4
#define INIT_PROCESS    5   /* Process spawned by "init" */
#define LOGIN_PROCESS   6   /* A "getty" process waiting for login */
#define USER_PROCESS    7   /* A user process */
#define DEAD_PROCESS    8
#define ACCOUNTING  9

For processes started by init(1), init(1) generates entries with the value 5 (INIT_PROCESS) in /etc/utmp and /var/adm/utmp. A started getty(1) process generates entries with the value 6 (LOGIN_PROCESS) and a user login then leads to an entry with the type 7 (USER_PROCESS). If a user logs out again, an entry with type 8 (DEAD_PROCESS) is generated and the exit status of the process is recorded in the e_exit field. The types listed will be examined in more detail later. Each entry has a time stamp (ut_time) that indicates when the entry was generated.

In addition to the type field ut_type, there are the following fields:

• • ut_user: For processes, the name of the associated user.
  • ut_id: For processes started by init(1), the ID of the inittab(4) entry.
  • ut_line: The device name of the terminal for logins.
  • ut_pid: The PID of the started process.
  • ut_type: The type of entry.
  • ut_time: Timestamp of the entry.
  • ut_exit: For entries with type 8 (DEAD_PROCESS) the exit status of the process.
  • ut_host: For remote logins, the name or IP address of the remote host.