There are two other system logfiles that have nothing to do with the syslog daemon: /var/run/utmp and /var/log/wtmp. These logfiles keep track of information about logins. The first file, utmp, tracks the current system state and is used by commands like finger , write , or who . The man page for utmp warns that many system programs foolishly depend on its integrity if utmp is writable to any user .
The second file, /var/log/wtmp/, archives login information. It can be a valuable way to see who logs in and with what regularity. Since the file is a binary format you need something besides a text editor to get at the information it contains. To see the contents of the wtmp file, type last more . This shows who has logged in and from where. If the file is mysteriously empty or nulled, this is a sign that you have been hacked. Truncating these files is a common practice to cover one s tracks.