日志记录是基于Linux的操作系统的重要组成部分。
系统维护系统上活动的日志。
系统还将维护已登录和已注销用户的日志。

文件“/var/run/utmp”和“/var/log/wtmp”包含用于登录和注销的日志。
这两个文件是二进制文件。
我们无法使用“ less”之类的任何文本编辑器或者寻呼机查看它们。

一些命令将这些文件用于其输出。

/var/run/utmp文件

该文件包含有关当前登录到系统的用户的信息。
Who命令使用此文件显示登录的用户：

$who
root tty1 2012-12-26 11:53
igi tty8 2012-12-26 03:00 (:0)
igi pts/0 2012-12-26 11:02 (:0.0)

根据utmp手册页

The utmp file allows one to discover information about who is currently using the system. There Jan be more users currently using the system, because not all programs use utmp logging.

/var/log/wtmp文件

该文件类似于utmp文件的历史记录，例如：它维护所有已登录和已注销用户的日志（过去）。
last命令使用此文件显示上次登录用户的列表。

$last
igi pts/0 :0.0 Wed Dec 26 11:02 still logged in
igi tty8 :0 Wed Dec 26 03:00 still logged in
reboot system boot 3.5.0-17-generic Wed Dec 26 03:00 - 11:30 (08:29)
igi pts/0 :0.0 Wed Dec 26 02:18 - 02:20 (00:01)
igi tty8 :0 Tue Dec 25 18:36 - down (07:44)
reboot system boot 3.5.0-17-generic Tue Dec 25 18:35 - 02:21 (07:45)
igi pts/0 :0.0 Tue Dec 25 14:36 - 14:38 (00:02)
igi pts/0 :0.0 Tue Dec 25 13:33 - 14:14 (00:40)
root pts/0 :0.0 Tue Dec 25 13:25 - 13:25 (00:00)
root pts/0 :0.0 Tue Dec 25 13:23 - 13:23 (00:00)
root pts/0 :0.0 Tue Dec 25 13:21 - 13:21 (00:00)
---output truncated--
wtmp begins Mon Nov 5 21:10:35 2012

根据wtmp手册页

The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal. Furthermore, the terminal name ~ with username shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names |/} logs the old/new system time when date(1) changes it. wtmp is maintained by login(1), init(8), and some versions of getty(8) (e.g., mingetty(8) or agetty(8)). None of these programs creates the file, so if it is removed, record-keeping is turned off.

与用户登录有关的另一个重要文件是“/var/log/btmp”。
该文件包含错误的登录尝试。
该文件由'lastb'命令使用：

$lastb
igi tty8 :0 Fri Dec 21 06:36 - 06:36 (00:00)
root tty1 Tue Dec 11 14:14 - 14:14 (00:00)
igi tty7 :0 Mon Dec 10 18:51 - 18:51 (00:00)