utmpdump: Dump and Load utmp/btmp/wtmp

utmpdump is a small, pragmatic tool for working with Linux/Unix user accounting files. It can dump these binary files to readable text, and (with care) load a previously dumped file back into the log file.

What it does

• Reads and dumps the binary accounting files: /var/log/wtmp, /var/log/btmp, and /var/run/utmp (commonly /var/log/utmp).
• Can restore data from a dump file back into the wtmp log, useful for recovery or analysis workflows.

Note: These files are sensitive and typically writable only by root. Be mindful of permissions and backups when loading data.

Basic usage

• Dump a wtmp file to standard output (plain text):

utmpdump /var/log/wtmp

• Load a previously dumped file back into /var/log/wtmp:

utmpdump -r dumpfile > /var/log/wtmp

The -r or —reverse flag indicates you’re restoring data from the dumpfile into the real wtmp file. The dumpfile is treated as a textual representation of the log entries.

Practical examples

• Inspect recent logins without touching the binary log:

utmpdump /var/log/wtmp | head -n 40

• Save a backup before making changes (safe practice):

utmpdump /var/log/wtmp > /var/backups/wtmp.dump

• Restore after a clean dump (ensure the file is a valid dump):

utmpdump -r /var/backups/wtmp.dump > /var/log/wtmp

Common pitfalls

• Permissions: Reading /var/log/wtmp generally requires root privileges. Use sudo if needed.
• Data integrity: Restoring with utmpdump will overwrite the target log if you redirect output; double-check the command and file path.
• Binary compatibility: Dumps produced by one system or version may not be perfectly compatible with another; prefer matching versions or test on non-production data first.
• Active logs: Avoid dumping or restoring while the system is actively writing to the log in a concurrent environment; schedule maintenance windows if you’re performing restores.

Tips

• Always verify a dump before restoring. Inspect the dumped file with a pager or simple grep for sanity:

utmpdump /var/log/wtmp | head

• Keep periodic backups of wtmp/btmp/utmp before performing any destructive operations.
• Use appropriate redirection when restoring to avoid accidental data loss:

utmpdump -r dumpfile > /var/log/wtmp

See also

• man utmpdump: comprehensive options and behavior
• System accounting basics: utmp, wtmp, and btmp explainers

For more information, you can refer to the man page: utmpdump(1).

See Also

• rexec: Execute a command on a remote host
• How to Use the kill Command in Linux?
• How to Use the free Command to Monitor Memory on Linux
• ac: Print accounting statistics
• What Is mkinitcpio and How Does It Create Initial Ramdisk Environments in Linux?
• How to Use the chmod Command in Linux?