Ver el contenido de btmp y wtmp con utmpdump

Alex

hace 12 años

El comando utmpdump permite visualizar el contenido de los ficheros btmp y wtmp. Ambos ficheros tienen formato binario y almacenan logs de:

btmp: log que almacena un registro de los accesos fallidos al sistema
wtmp: log que almacena un registro de los accesos al sistema

Los ficheros son ilegibles de forma directa debido a que están almacenados en binario:

# file wtmp 
wtmp: data

Para ello tenemos el comando utmpdump. Simplemente pasamos el fichero de log como parámetro y podremos visualizar su contenido:

# utmpdump /var/log/btmp 
Utmp dump of /var/log/btmp
[6] [01585] [    ] [alex    ] [ssh:notty   ] [192.168.1.128       ] [192.168.1.128  ] [Mon Jan 16 21:45:56 2012 CET]
[6] [01585] [    ] [alex    ] [ssh:notty   ] [192.168.1.128       ] [192.168.1.128  ] [Mon Jan 16 21:45:59 2012 CET]
[6] [02927] [    ] [foo  ] [ssh:notty   ] [192.168.1.128       ] [0.0.0.0        ] [Fri Jan 27 21:52:13 2012 CET]
[6] [03787] [    ] [root    ] [ssh:notty   ] [192.168.1.128       ] [192.168.1.128  ] [Fri Jan 27 22:01:35 2012 CET]
[6] [03787] [    ] [root    ] [ssh:notty   ] [192.168.1.128       ] [192.168.1.128  ] [Fri Jan 27 22:01:51 2012 CET]

# utmpdump /var/log/wtmp | head
Utmp dump of /var/log/wtmp
[2] [00000] [~~  ] [reboot  ] [~           ] [2.6.32-220.el6.i686 ] [0.0.0.0        ] [Wed Dec 28 21:01:04 2011 CET]
[1] [00051] [~~  ] [runlevel] [~           ] [2.6.32-220.el6.i686 ] [0.0.0.0        ] [Wed Dec 28 21:01:04 2011 CET]
[6] [01052] [1   ] [LOGIN   ] [tty1        ] [                    ] [0.0.0.0        ] [Wed Dec 28 21:01:25 2011 CET]
[6] [01054] [2   ] [LOGIN   ] [tty2        ] [                    ] [0.0.0.0        ] [Wed Dec 28 21:01:25 2011 CET]
[6] [01056] [3   ] [LOGIN   ] [tty3        ] [                    ] [0.0.0.0        ] [Wed Dec 28 21:01:25 2011 CET]
[6] [01060] [4   ] [LOGIN   ] [tty4        ] [                    ] [0.0.0.0        ] [Wed Dec 28 21:01:25 2011 CET]
[6] [01062] [5   ] [LOGIN   ] [tty5        ] [                    ] [0.0.0.0        ] [Wed Dec 28 21:01:25 2011 CET]
[6] [01064] [6   ] [LOGIN   ] [tty6        ] [                    ] [0.0.0.0        ] [Wed Dec 28 21:01:25 2011 CET]
[7] [01052] [1   ] [root    ] [tty1        ] [                    ] [0.0.0.0        ] [Wed Dec 28 21:01:31 2011 CET]
[7] [03021] [ts/0] [root    ] [pts/0       ] [192.168.1.128       ] [192.168.1.128  ] [Wed Dec 28 21:10:28 2011 CET]

utmpdump también nos permite visualizar el contenido del log a tiempo real (como un tail -f):

# utmpdump -f /var/log/wtmp 
Utmp dump of /var/log/wtmp
[8] [01555] [6   ] [        ] [tty6        ] [                    ] [0.0.0.0        ] [Fri Jan 27 22:20:43 2012 CET]
[2] [00000] [~~  ] [reboot  ] [~           ] [2.6.32-220.el6.i686 ] [0.0.0.0        ] [Sat Jan 28 10:34:12 2012 CET]
[1] [00051] [~~  ] [runlevel] [~           ] [2.6.32-220.el6.i686 ] [0.0.0.0        ] [Sat Jan 28 10:34:12 2012 CET]
...
...