DEV Community

Sreedeep
Sreedeep

Posted on

🔍 3 Hidden Linux Logs You’ve Never Heard About! 🐧 (Uncover the Secrets!)

Log files can provide great insights into operations, user activity, and potential threats. Understanding these log files, wtmp, utmp, btmp, and auth.log, was a game-changer for me.

In this article, we’ll explore these logs, their practical applications, and how you can use them to diagnose issues.


1. wtmp: Login and Logout Records

The wtmp log tracks historical login and logout events on a Linux system. This binary log, stored in /var/log/wtmp, helps administrators review access patterns and pinpoint login anomalies. To analyse its contents, you can use the last command.

$ last
Enter fullscreen mode Exit fullscreen mode

This command reveals the history of user sessions, including start and end times, terminal IDs, and host information.

2. utmp: Active Users

Its stored in /var/run/utmp, this log tracks currently logged-in users and their active sessions. Use the who command to display this information in real-time

$ who
Enter fullscreen mode Exit fullscreen mode

Its essential for administrators to monitor active sessions and ensure system integrity.

3. btmp: Invalid Login Attempts

The btmp log records failed login attempts, providing critical insights into potential brute force attacks or unauthorized access attempts. Analyze it with the lastb command:

$ sudo lastb
Enter fullscreen mode Exit fullscreen mode

This helps identify the source and frequency of failed login attempts, enabling quick response to possible threats.

Bonus 1: boot.log

The boot.log file contains messages from the boot process. It’s a valuable resource for diagnosing slow boot times or identifying failing services.

Here is what I found in my system which helped me debug slow boot time.

Image description


Bonus 2: utmpdump

For binary logs like wtmp or btmp, tools such as utmpdump convert the contents into readable text. Example:

$ utmpdump /var/log/wtmp
Enter fullscreen mode Exit fullscreen mode

This output reveals detailed session information, including event types, user IDs, and timestamps.

Hello, I forgot to introduce myself. I am Sreedeep, I am building LiveAPI. Its a Super Convenient API Documentation solution for startups.

In LiveAPI we added a new feature in which you can see high level back-end logs which will help you debug the issues while generating API documentation. Tryout our free trial.

Top comments (0)