Reading wtmps file

hopkinshs · February 9, 2016, 4:41pm

I'm sure there might be an answer here. I have searched but cannot find specifics. I have wtmps file exported to a txt file for reading. The code for the export I believe is this.

if [ ${OS_VERSION} = "B.11.11" ]; then
    for file in $(ls -1 /var/adm/wtmp.*|grep -v gz)
    do
      /usr/sbin/acct/fwtmp -X < ${file} >> ${REPORTDIR}/successful-logins-all
    done
    if [ -f /var/adm/wtmp ]; then 
      /usr/sbin/acct/fwtmp -X < /var/adm/wtmp >> ${REPORTDIR}/successful-logins-all
    fi
  else
    for file in $(ls -1 /var/adm/wtmps.*|grep -v gz)
    do
      /usr/sbin/acct/fwtmp -X < ${file} >> ${REPORTDIR}/successful-logins-all
    done
    if [ -f /var/adm/wtmps ]; then 
      /usr/sbin/acct/fwtmp -X < /var/adm/wtmps >> ${REPORTDIR}/successful-logins-all
    fi
  fi

I'm not an expert just auditing. when I open output file this is an example of lines I see.

     dev/              18096  8 0000 0000 1448946032 416868 Dec  1 00:00:32 2015 0  
         dev/              18123  8 0000 0000 1448946038 364909 Dec  1 00:00:38 2015 0  
         dev/              18126  8 0000 0000 1448946038 381202 Dec  1 00:00:38 2015 0  
         dev/              18149  8 0000 0000 1448946048 259553 Dec  1 00:00:48 2015 0  
         dev/              18191  8 0000 0000 1448946059 377515 Dec  1 00:00:59 2015 0

My question then is really what is this information telling me? I cannot seem to find anything that tells me what the output means.

Thank you much,

jim_mcnamara · February 9, 2016, 5:29pm

This looks like HPUX.

Specifically look at Methyl's answer about reading the man page.

There are C structs that show layout of data in the wtmpxx files I believe.

MadeInGermany · February 10, 2016, 5:10am

The -X option is for the /var/adm/wtmps.* files, otherwise fwtmp reads the /var/adm/wtmp.* files.
I have no clue what the extra numbers mean. The man pages are too short (and a bit confusing).
If you want to try the last command, the following extracts most out of the files:

last -Rf /var/adm/wtmp
last -XxRf /var/adm/wtmps

--
Normally, at least during a system login, wtmp and wtmps are written simultaneously. wtmps has room for more information. So reading wtmps alone should be sufficient.

hopkinshs · February 10, 2016, 8:32am

Thank you for responses. May have to work with server admins to run new commands. If I have a copy of the wmtp file exported to a Windows server is there a way to run the last command from some shell to view the file?
thanks.

MadeInGermany · February 10, 2016, 8:48am

No, the wtmp file is binary, and must be processed by the commands on the system.