UTMP(5) File Formats Manual UTMP(5)


utmp, wtmp, lastloglogin records


#include <utmp.h>


The <utmp.h> file declares the structures used to record information about current users in the utmp file, logins and logouts in the wtmp file, and last logins in the lastlog file. The timestamps of date changes, shutdowns, and reboots are also logged in the wtmp file.
wtmp can grow rapidly on busy systems, so daily or weekly rotation is recommended. If any one of these files does not exist, it is not created. They must be created manually and are maintained by newsyslog(8).
#define _PATH_UTMP      "/var/run/utmp" 
#define _PATH_WTMP      "/var/log/wtmp" 
#define _PATH_LASTLOG   "/var/log/lastlog" 
#define UT_NAMESIZE     32 
#define UT_LINESIZE     8 
#define UT_HOSTSIZE     256 
struct lastlog { 
        time_t  ll_time; 
        char    ll_line[UT_LINESIZE]; 
        char    ll_host[UT_HOSTSIZE]; 
struct utmp { 
        char    ut_line[UT_LINESIZE]; 
        char    ut_name[UT_NAMESIZE]; 
        char    ut_host[UT_HOSTSIZE]; 
        time_t	ut_time; 
Each time a user logs in, the login(1) program looks up the user's UID in the lastlog file. If it is found, the timestamp of the last time the user logged in, the terminal line, and the hostname are written to the standard output (provided the login is not “quiet”; see login(1)). The login(1) program then records the new login time in the lastlog file.
After the new lastlog record is written, the utmp file is opened and the utmp record for the user is inserted. This record remains until the user logs out at which time it is deleted. The utmp file is used by the programs users(1), w(1), and who(1).
Next, the login(1) program opens the wtmp file and appends the user's utmp record. When the user logs out, a utmp record with the tty line, an updated timestamp, and zeroed name and host fields is appended to the file (see init(8)). The wtmp file is used by the programs last(1) and ac(8).
In the event of a date change, shutdown, or reboot, the following items are logged in the wtmp file:
A system reboot or shutdown has been initiated. A tilde (‘~’) character is placed in the field ut_line, and “reboot” or “shutdown” in the field ut_name (see shutdown(8) and reboot(8)).
The system time has been manually or automatically updated (see date(1)). The command name date(1) is recorded in the field ut_name. In the field ut_line, the “|” character indicates the time prior to the change and the “{” character indicates the new time.




last(1), login(1), who(1), ac(8), init(8), newsyslog(8)


A utmp and wtmp file format appeared in Version 3 AT&T UNIX. The lastlog file format appeared in 3.0BSD.


The strings in the utmp and lastlog structures are not normal ‘C’ strings and are thus not guaranteed to be null terminated.
September 10, 2015 OpenBSD-current