Scroll to navigation

CHKWTMP(8) System Manager's Manual CHKWTMP(8)

NAME

chkwtmp - check wtmp file deleted entries

SYNOPSIS

chkwtmp looks for data deleted from wtmp

DESCRIPTION

chkwtmp examines the file /var/log/wtmp for entries which have been overwritten (containing only null-bytes). If such entries are found the program displays the timestamps of the entries before and after the deleted entry, providing an idea of when the entry was deleted.

chkwtmp needs to be able to read /var/log/wtmp. Normally this file is world-readable so no special privileges are required.

FILES

/var/log/wtmp
database of logins and logouts.

SEE ALSO

wtmp(4), who(1)

LIMITATIONS

An entry is recognized as overwritten if the time-information has been overwritten with null-bytes.

This program was originally designed to run on SunOS 4.x systems. On other systems the output is undefined.

October 23, 2021