黄舟2017-04-17 11:55:46
utmp maintains a full accounting of the current status of the system, system boot time (used by uptime), recording user logins at which terminals, logouts, system events etc.
wtmp acts as a historical utmp
btmp records failed login attempts
The utmp file is not a text file, but rather a binary format which needs to be edited by specially crafted programs. The implementation and the fields present in the file differ depending of the system or the libc version, and are defined in the utmp.h header file.
The wtmp and btmp format are exactly like utmp except that a null user name indicates a logout on the associated terminal. Furthermore, the terminal name ~ with user name shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names / logs the old/new system time when date changes it.
http://en.wikipedia.org/wiki/Utmp#utmp.2C_wtmp_and_btmp