El comando utmpdump permite visualizar el contenido de los ficheros btmp y wtmp. Ambos ficheros tienen formato binario y almacenan logs de:
- btmp: log que almacena un registro de los accesos fallidos al sistema
- wtmp: log que almacena un registro de los accesos al sistema
Los ficheros son ilegibles de forma directa debido a que están almacenados en binario:
# file wtmp wtmp: data
Para ello tenemos el comando utmpdump. Simplemente pasamos el fichero de log como parámetro y podremos visualizar su contenido:
# utmpdump /var/log/btmp Utmp dump of /var/log/btmp [6] [01585] [ ] [alex ] [ssh:notty ] [192.168.1.128 ] [192.168.1.128 ] [Mon Jan 16 21:45:56 2012 CET] [6] [01585] [ ] [alex ] [ssh:notty ] [192.168.1.128 ] [192.168.1.128 ] [Mon Jan 16 21:45:59 2012 CET] [6] [02927] [ ] [foo ] [ssh:notty ] [192.168.1.128 ] [0.0.0.0 ] [Fri Jan 27 21:52:13 2012 CET] [6] [03787] [ ] [root ] [ssh:notty ] [192.168.1.128 ] [192.168.1.128 ] [Fri Jan 27 22:01:35 2012 CET] [6] [03787] [ ] [root ] [ssh:notty ] [192.168.1.128 ] [192.168.1.128 ] [Fri Jan 27 22:01:51 2012 CET]
# utmpdump /var/log/wtmp | head Utmp dump of /var/log/wtmp [2] [00000] [~~ ] [reboot ] [~ ] [2.6.32-220.el6.i686 ] [0.0.0.0 ] [Wed Dec 28 21:01:04 2011 CET] [1] [00051] [~~ ] [runlevel] [~ ] [2.6.32-220.el6.i686 ] [0.0.0.0 ] [Wed Dec 28 21:01:04 2011 CET] [6] [01052] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [Wed Dec 28 21:01:25 2011 CET] [6] [01054] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [Wed Dec 28 21:01:25 2011 CET] [6] [01056] [3 ] [LOGIN ] [tty3 ] [ ] [0.0.0.0 ] [Wed Dec 28 21:01:25 2011 CET] [6] [01060] [4 ] [LOGIN ] [tty4 ] [ ] [0.0.0.0 ] [Wed Dec 28 21:01:25 2011 CET] [6] [01062] [5 ] [LOGIN ] [tty5 ] [ ] [0.0.0.0 ] [Wed Dec 28 21:01:25 2011 CET] [6] [01064] [6 ] [LOGIN ] [tty6 ] [ ] [0.0.0.0 ] [Wed Dec 28 21:01:25 2011 CET] [7] [01052] [1 ] [root ] [tty1 ] [ ] [0.0.0.0 ] [Wed Dec 28 21:01:31 2011 CET] [7] [03021] [ts/0] [root ] [pts/0 ] [192.168.1.128 ] [192.168.1.128 ] [Wed Dec 28 21:10:28 2011 CET]
utmpdump también nos permite visualizar el contenido del log a tiempo real (como un tail -f):
# utmpdump -f /var/log/wtmp Utmp dump of /var/log/wtmp [8] [01555] [6 ] [ ] [tty6 ] [ ] [0.0.0.0 ] [Fri Jan 27 22:20:43 2012 CET] [2] [00000] [~~ ] [reboot ] [~ ] [2.6.32-220.el6.i686 ] [0.0.0.0 ] [Sat Jan 28 10:34:12 2012 CET] [1] [00051] [~~ ] [runlevel] [~ ] [2.6.32-220.el6.i686 ] [0.0.0.0 ] [Sat Jan 28 10:34:12 2012 CET] ... ...
sabes cual es el package para instalarlo en debian?