File: README.Debian

package info (click to toggle)
wtmpdb 0.75.0-5
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 692 kB
  • sloc: ansic: 4,222; xml: 715; sh: 81; makefile: 16
file content (67 lines) | stat: -rw-r--r-- 2,966 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
wtmpdb in Debian
----------------

Login and reboot records are now recorded by the 'wtmpdb' solution in an
sqlite3 database file, which can represent a larger range of times. This
document identifies differences in behaviour from earlier arrangements that may
require action by system administators.


Log location
------------

The datafile for the login and reboot records is currently stored in the
system log directory '/var/log' instead of the tool's state directory
'/var/lib/wtmpdb' as defined upstream via /usr/include/wtmpdb.h. On Debian
/var/lib/wtmpdb/wtmp.db should be a symbolic link to /var/log/wtmp.db.


Logging SSH sessions
--------------------

Login sessions are recorded by default when libpam-wtmpdb is installed but
when recorded this way the details may be limited, missing the terminal name.

The SSH daemon provided by openssh-server can record richer login information
directly with libwtmpdb0. To avoid duplicate login entries, libpam-wtmpdb is
therefore installed with a default configuration that skips recording logins
from sshd. When an alternative ssh daemon or a version of openssh-server
compiled without wtmpdb integration is installed, this may result in no logins
being recorded. To restore recording of ssh login sessions via the pam module,
edit /etc/pam.d/common-session and remove the option 'skip_if=sshd' from the
'pam_wtmpdb.so' line.


Reading old wtmp log files
--------------------------

The 'last' tool provided by wtmpdb cannot read old login records stored in
utmp(5) format in '/var/log/wtmp'. On installation, the wtmpdb package converts
the existing wtmp log file if present into wtmpdb format so that old records
can immediately be read with the newly-installed 'last' command.

If old rotated log files like /var/log/wtmp.1 are present, these can be
manually converted with the 'wtmpdb import' command (specify '-f' if these are
to be written to another file for archiving rather than merged into the current
login database). On default configurations, there are unlikely to be any older
rotated files such as wtmp.2.gz but if there are, these can be uncompressed
with gzip before being imported.

Note that automatic import of old records will not happen if the new database
file gets populated before the wtmpdb package is installed, which can happen if
ssh or console logins are recorded after the system upgrade but before the
wtmpdb package is installed. In this case the old file can be imported manually
as described above.


Log rotation and pruning
------------------------

Logs are rotated and pruned by logrotate(8). The rotation and retention
periods may be inspected and modified in /etc/logrotate.d/wtmpdb

The upstream wtmpdb project provides a pair of units that perform monthly
logrotation but do not prune - these are installed as examples in
/usr/share/doc/wtmpdb/examples along with an equivalent cron.monthly drop-in.

 -- Andrew Bower <andrew@bower.uk>  Fri, 31 Oct 2025 21:05:30 +0000