LLMpediaThe first transparent, open encyclopedia generated by LLMs

wtmp

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: XDM (display manager) Hop 4
Expansion Funnel Raw 83 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted83
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
wtmp
Namewtmp
Extensionnone
OwnerUnix-like systems
Typebinary log
Genresystem accounting

wtmp

wtmp is a legacy binary log file used on Unix-like systems to record user logins, logouts, system boots, and timekeeping events. It complements contemporaneous facilities such as utmp and lastlog and is processed by standard utilities to produce human-readable summaries of session history for administrators and auditors. wtmp entries are created and read by low-level system libraries and programs distributed with projects like GNU, BSD, and System V, and its format has influenced forensic tools and auditing frameworks.

Overview

The wtmp file appears on systems derived from Bell Labs research, AT&T, and later distributions such as GNU, Debian, Red Hat, FreeBSD, NetBSD, OpenBSD, and Solaris. Administrators and operators use utilities tied to syslog, cron, and init systems including systemd, Upstart, and traditional System V init scripts to correlate wtmp data with events like reboots and runlevel changes. Forensics practitioners from organizations such as the National Institute of Standards and Technology and vendors like SANS Institute and MITRE reference wtmp when reconstructing sessions alongside artifacts from SSH, Apache HTTP Server, and OpenSSH. Because wtmp is a historical artifact of Unix heritage, it remains relevant in environments running Linux kernel, BSD kernel variants, or legacy Unix like AIX and HP-UX.

File Format and Structure

wtmp is stored as a sequence of fixed-size binary records shaped by C language structures defined in system headers (e.g., ) supplied by projects such as GNU C Library and musl. Each record typically contains fields for user names, terminal identifiers, hostnames, process IDs, event types, and timestamps, aligning with system calls and APIs provided by POSIX specifications and standards bodies like IEEE. Because implementations vary among Linux, FreeBSD, and Solaris, offsets and field sizes can differ; compatibility layers and conversion utilities in distributions such as Ubuntu, CentOS, and Debian address these differences. Tools that parse wtmp must account for endianness from architectures like x86-64, ARM, PowerPC, and SPARC.

System Records and Fields

Common event types recorded in wtmp include boot time, user login, user logout, and session accounting; these correspond to constants and macros maintained in operating system headers and utilities from projects such as GNU Coreutils and util-linux. Typical fields reference terminals (tty devices like those managed by getty or agetty), remote hosts (resolved by DNS and libc functions), and process identifiers exposed through procfs on Linux or sysctl interfaces on BSD. Auditors cross-reference wtmp timestamps with logs from sshd, sudo, PAM modules, and services such as Postfix or Sendmail to build timelines. System administrators often use entries to enforce policies aligned with requirements from compliance frameworks published by PCI DSS, HIPAA, and NIST publications.

Access and Utilities

Standard utilities that read or manipulate wtmp include programs like last, who, and utmpdump found in distributions maintained by Debian Project, Red Hat, Inc., and FreeBSD Foundation. Higher-level forensic suites from vendors such as Guidance Software and The Sleuth Kit provide tools to ingest wtmp data and correlate with artifacts from Windows Event Log analogs and network traces captured by Wireshark. Library APIs in glibc and BSD libc enable applications to append and iterate records; wrappers are present in language runtimes like Python (programming language), Perl, and Go (programming language). System management frameworks—Ansible, Puppet, and Chef—can deploy policies that rotate or archive wtmp files as part of centralized logging strategies.

Security and Privacy Considerations

Because wtmp contains usernames, terminal names, hostnames, and timestamps, it is sensitive under privacy rules promulgated by organizations such as European Union regulators and data protection frameworks like GDPR. Improper permissions, tampering, or truncation of wtmp can undermine incident response and has been exploited in historical intrusion cases studied by institutes such as CERT Coordination Center and SANS Institute. System hardening guides from vendors including Red Hat, Inc. and repositories like CIS recommend restricting access, employing log integrity monitoring, and forwarding session metadata to centralized collectors such as rsyslog, syslog-ng, or Graylog projects. For privacy-preserving operations, organizations often combine wtmp data with access controls and retention schedules mandated by statutes like Sarbanes–Oxley Act.

History and Implementation Across Unix Systems

The design of wtmp traces to early Unix releases at Bell Labs and subsequent commercialization by AT&T and UNIX System Laboratories, with later divergences in BSD and commercial Unix distributions like Sun Microsystems's Solaris and IBM's AIX. The GNU and Linux ecosystems adopted compatible semantics while allowing structural variations through headers in glibc and portable implementations in the util-linux project. Debates over binary versus textual logging paralleled developments in syslog and modern telemetry in Elastic Stack and Prometheus. Academic work and technical documentation from institutions such as MIT, Stanford University, and industry consortia influenced how fields were standardized and how tools like last evolved in GNU Coreutils and BSD userland.

Category:Unix file formats