I have a test yesterday. A question is
Choose the one that is wrong about log files.
- utmp contains login and logout information of the users who are currently logged onto the system
- loginlog records successful login attempts
I know the answer is 2. But does utmp contain logout information? I think 1 is also wrong. wtmp contains logged in and logged out information. If 1 is also the right answer as I think, What do I support my opinion to instructor?
man 5 utmp gives good answer:
The utmp file allows one to discover information about who is currently using the system.
The wtmp file records all logins and logouts.
Yes, it contains logout information.
When an interactive TUI login session ends, a DEAD_PROCESS record is entered into that table, replacing the previous USER_PROCESS one. This record does not live long (on some systems at least), as terminal login service management soon recycles the login service, overwriting the DEAD_PROCESS record with a new GETTY_PROCESS or LOGIN_PROCESS one. But it can be found there.
On other systems, where there is no such thing as a GETTY_PROCESS or LOGIN_PROCESS record, it lives for somewhat longer, and is easier to encounter. However, it is difficult to see outwith programmatically accessing the table, as utilities generally filter DEAD_PROCESS entries out when printing the table content.
Furthermore: because of bugs, you will DEAD_PROCESS records for GUI login sessions from some modern desktop environments accrue without limit in this table.
pututxline. Base Specifications. IEEE 1003.1:2017. The Open Group.