4

I'd like to monitor logged in sessions, include how they logged in (physical console or SSH), and how long that session has existed for.

It seems like utmpdump /var/log/utmp has that information, but I can find't the documentation that explains all the fields. Can someone enlighten me?

Kyle Brandt
  • 852

2 Answers2

7

The fields are (member names of struct utmp in parantheses - see man 5 utmp):

  1. Type of record (ut_type)
  2. PID of login process (ut_pid)
  3. Terminal name suffix, or inittab(5) ID (ut_id)
  4. Username (ut_user)
  5. Device name or tty - "/dev/" (ut_line)
  6. Hostname for remote login, or kernel version for run-level messages (ut_host)
  7. Internet address of remote host (ut_addr_v6)
  8. Time entry was made (ut_time or actually ut_tv.tv_sec)

The possible values for the first field (ut_type or "type of record") are explained in utmp(5) (6 for example is LOGIN_PROCESS, or "Session leader process for user login").

Andreas Wiese
  • 10,400
  • Can you be more specific about runlevel type of record? How the actual runlevel is written there? – 0andriy Jul 16 '15 at 16:29
  • This cannot be easily answered in a general way. The entries indicating shutdowns, reboots, etc. are usually maintained by init, whereas entries for users would most-probably be placed in utmp by getty or variants (for console log-ins) or a login-manager like gdm (for X11 sessions). E.g., there's also a sessreg program intended to update utmp for arbitrary reasons a sysadmin may find useful. – Andreas Wiese Jul 17 '15 at 09:22
1

In function print_utline from utmpdump source code, you can find a litte help:

static void print_utline(struct utmp ut, FILE *out)
{
....
    /*       pid    id       user     line     host     addr       time */
fprintf(out, "[%d] [%05d] [%-4.4s] [%-*.*s] [%-*.*s] [%-*.*s] [%-15s] [%-28.28s]\n",
       ut.ut_type, ut.ut_pid, ut.ut_id, 8, UT_NAMESIZE, ut.ut_user,
       12, UT_LINESIZE, ut.ut_line, 20, UT_HOSTSIZE, ut.ut_host,
       addr_string, time_string);
}
cuonglm
  • 153,898