Under Construction
Viewing utmp Files with /usr/sbin/acct/fwtmp
The accounting fileset bos.acct offers the command fwtmp(1) to display the content of utmp files. The command works as a filter, i.e. it reads data from standard input and returns it to standard output. By redirecting input, the data of any file in utmp format can be read and output printed:
# /usr/sbin/acct/fwtmp </etc/utmp
system boot 2 0 0000 0000 1627365291 Tue Jul 27 07:54:51 CEST 2021
run-level 2 1 0 0062 0123 1637671886 Tue Nov 23 13:51:26 CET 2021
securityboot 8 6881756 0000 0000 1627365291 Tue Jul 27 07:54:51 CEST 2021
…
rc 8 6160852 0000 0000 1627365392 Tue Jul 27 07:56:32 CEST 2021
rcemgr 8 6619396 0000 0000 1627365397 Tue Jul 27 07:56:37 CEST 2021
fbcheck 8 5702114 0000 0000 1627365392 Tue Jul 27 07:56:32 CEST 2021
srcmstr srcmstr 5 5702116 0000 0000 1627365392 Tue Jul 27 07:56:32 CEST 2021
rctcpip 8 6684958 0000 0000 1627365397 Tue Jul 27 07:56:37 CEST 2021
…
cron cron 5 8257832 0000 0000 1627365435 Tue Jul 27 07:57:15 CEST 2021
…
user1 pts/0 pts/0 8 23462344 0015 175346 1634226431 Thu Oct 14 17:47:11 CEST 2021
user2 pts/1 pts/1 7 24576272 0005 41223 1641906231 192.168.1.17 Tue Jan 11 14:03:51 CET 2022
user2 pts/2 pts/2 8 24576272 0005 61627 1641901617 Tue Jan 11 12:46:57 CET 2022
user2 pts/3 pts/3 8 24576272 0006 32171 1641897701 Tue Jan 11 11:41:41 CET 2022
user3 pts/4 pts/4 7 23069024 0010 53046 1641799722 192.168.1.17 Mon Jan 10 08:28:42 CET 2022
user1 pts/5 pts/5 8 8126888 0001 26624 1641834373 Mon Jan 10 18:06:13 CET 2022
user3 pts/6 pts/6 8 21627168 0007 54704 1641832922 Mon Jan 10 17:42:02 CET 2022
user2 pts/7 pts/7 8 35717576 0003 133242 1641829791 Mon Jan 10 16:49:51 CET 2022
#
The command can only be started by root or a user from the adm group. All data records with all fields are printed. Empty fields are printed as an empty character string and are therefore not easily recognizable, as the example output above clearly shows. The fields of the utmp structure are printed in the following order: ut_user, ut_id, ut_line, ut_type, ut_pid, ut_exit.e_termination, ut_exit.e_exit, ut_time (seconds since 1.1.1970), ut_host and ut_time (date and time).
Note: The fields ut_exit.e_termination and ut_exit.e_exit are printed as octal values!
The output of user names (field ut_user) is cut off after the first 8 characters. With the option ‘-X‘ the complete username is shown, up to 255 characters.
For entries from remote logins, e.g. with SSH, the computer name or the IP address of the remote system is saved in the ut_host field. By default, only the first 32 characters are displayed, which is more than sufficient for IP addresses, but may not be sufficient for long FQDNs. By using the option ‘-L‘, the complete host name is shown, up to 255 characters.
By default, fwtmp(1) expects binary data records in utmp format as input and outputs them in ASCII format. The working method can be changed by using options:
-i : utmp data records in ASCII format are expected as input.
-c: the output provides binary utmp data records.
By combining the two options, you can convert from ASCII format to binary format. This is used in rare cases to correct defective entries in a utmp file. To do this, the file is first read in and saved in ASCII format in a temporary file. The temporary file can then be edited with an editor. And finally the edited ASCII file is read with the help of the options ‘-i‘ and ‘-c‘, converted into binary format and then saved:
# /usr/sbin/acct/fwtmp </etc/utmp >/tmp/utmp.ascii
# vi /tmp/utmp.ascii
# /usr/sbin/acct/fwtmp -ic </tmp/utmp.ascii >/etc/utmp
#
In addition to fwtmp(1), there are a number of other commands that can read files in utmp format, such as who(1) or last(1). However, these search specifically for certain data records and then only show these. The advantage of fwtmp(1) is that really all data records are read and shown. This offers a great advantage in some situations. The commands who(1), last(1) and others are also discussed in the following chapters.