wtmpx file reading [Archive]

Old Vens

17th December 2002, 10:28

Hi,

Trying to interpret the contents of /var/adm/wtmpx file i've read it with the help of /usr/lib/acct/fwtmp utilty i we got the fine result. It shows every login, rebott and so on with the lines like this:
2001LOGIN co console 443 6 0000 0000 997672153 Mon Aug 13 07:09:13 2001
Ok. But what mean figures beginning with 443 and up to the date of the event.
OS is Solaris 8.
Smb. knows i hope?

Thanks in advance :)

patvdv

17th December 2002, 11:11

Have you tried 'man wtmpx'? :)

Old Vens

17th December 2002, 12:52

Reading man was the first thing i did, but it contains no needed data. Once again, i am talking about that output is quite clear except just part of it :
[LOGIN co console 443 6 0000 0000 997672153 Mon Aug 13 07:09:13 2001
What is 443 6 etc. ?
:)

patvdv

17th December 2002, 13:26

I think it does contain the information you asked for:

struct utmpx {
char ut_user[32]; /* user login name */
char ut_id[4]; /* /etc/inittab id (created by */
/* process that puts entry in utmp) */
char ut_line[32]; /* device name (console, lnxx) */
pid_t ut_pid; /* process id */
short ut_type; /* type of entry */
struct exit_status {
short e_termination; /* process termination status */
short e_exit; /* process exit status */
} ut_exit; /* exit status of a process */
/* marked DEAD_PROCESS */
struct timeval ut_tv; /* time entry was made */
long ut_session; /* session ID, used for windowing */
long pad[5]; /* reserved for future use */
short ut_syslen; /* length of ut_host including null */
char ut_host[257]; /* remote host name */
};
/* Definitions for ut_type */

#define EMPTY 0
#define RUN_LVL 1
#define BOOT_TIME 2
#define OLD_TIME 3
#define NEW_TIME 4
#define INIT_PROCESS 5 /* process spawned by "init" */
#define LOGIN_PROCESS 6 /* a "getty" process waiting for login */
#define USER_PROCESS 7 /* a user process */

Using this to decode your line:

LOGIN : /* user login name */
co : /* /etc/inittab id */
console : /* device name (console, lnxx) */
443 : /* process id */
6 : /* type of entry */ (in this case a 'getty' login)
0000 0000 997672153 : /* process termination status */ etc...
Mon Aug 13 07:09:13 2001 : /* time entry was made */

Old Vens

17th December 2002, 14:46

Thanks, Pat
It is what i mean, i also found it in include files. As addition to your reply it has also one more ut_type definition no.8 DEAD_PROCESS.
:)