wtmpdb in Debian ---------------- Login and reboot records are now recorded by the 'wtmpdb' solution in an sqlite3 database file, which can represent a larger range of times. This document identifies differences in behaviour from earlier arrangements that may require action by system administators. Log location ------------ The datafile for the login and reboot records is currently stored in the system log directory '/var/log' instead of the tool's state directory '/var/lib/wtmpdb' as defined upstream via /usr/include/wtmpdb.h. On Debian /var/lib/wtmpdb/wtmp.db should be a symbolic link to /var/log/wtmp.db. Logging SSH sessions -------------------- Login sessions are recorded by default when libpam-wtmpdb is installed but when recorded this way the details may be limited, missing the terminal name. The SSH daemon provided by openssh-server can record richer login information directly with libwtmpdb0. To avoid duplicate login entries, libpam-wtmpdb is therefore installed with a default configuration that skips recording logins from sshd. When an alternative ssh daemon or a version of openssh-server compiled without wtmpdb integration is installed, this may result in no logins being recorded. To restore recording of ssh login sessions via the pam module, edit /etc/pam.d/common-session and remove the option 'skip_if=sshd' from the 'pam_wtmpdb.so' line. Reading old wtmp log files -------------------------- The 'last' tool provided by wtmpdb cannot read old login records stored in utmp(5) format in '/var/log/wtmp'. On installation, the wtmpdb package converts the existing wtmp log file if present into wtmpdb format so that old records can immediately be read with the newly-installed 'last' command. If old rotated log files like /var/log/wtmp.1 are present, these can be manually converted with the 'wtmpdb import' command (specify '-f' if these are to be written to another file for archiving rather than merged into the current login database). On default configurations, there are unlikely to be any older rotated files such as wtmp.2.gz but if there are, these can be uncompressed with gzip before being imported. Note that automatic import of old records will not happen if the new database file gets populated before the wtmpdb package is installed, which can happen if ssh or console logins are recorded after the system upgrade but before the wtmpdb package is installed. In this case the old file can be imported manually as described above. Log rotation and pruning ------------------------ Logs are rotated and pruned by logrotate(8). The rotation and retention periods may be inspected and modified in /etc/logrotate.d/wtmpdb -- Andrew Bower Sat, 04 Oct 2025 09:46:09 +0100