wtmpdb in Debian
----------------

In Debian 13 "trixie", login and reboot records are recorded by the 'wtmpdb'
solution in an sqlite3 database file. This document identifies differences in
behaviour since earlier Debian releases that may require action by system
administators.


Log location
------------

The datafile for the login and reboot records is stored in the tool's state
directory '/var/lib/wtmpdb' instead of the system log directory '/var/log'.


Logging SSH sessions
--------------------

Login sessions are recorded by default when libpam-wtmpdb is installed but
when recorded this way the details may be limited, missing the terminal name.

The SSH daemon provided by openssh-server can record richer login information
directly with libwtmpdb0. To avoid duplicate login entries, libpam-wtmpdb is
therefore installed with a default configuration that skips recording logins
from sshd. When an alternative ssh daemon or a version of openssh-server
compiled without wtmpdb integration is installed, this may result in no logins
being recorded. To restore recording of ssh login sessions via the pam module,
edit /etc/pam.d/common-session and remove the option 'skip_if=sshd' from the
'pam_wtmpdb.so' line.


Reading old wtmp log files
--------------------------

The 'last' tool provided by wtmpdb cannot read old login records stored in
utmp(5) format in '/var/log/wtmp'. On installation, the wtmpdb package converts
the existing wtmp log file if present (as is likely on an upgrade from Debian
12 "bookworm") into wtmpdb format so that old records can immediately be read
with the newly-installed 'last' command.

If old rotated log files like /var/log/wtmp.1 are present, these can be
manually converted with the 'wtmpdb import' command (specify '-f' if these are
to be written to another file for archival rather than to the current login
database). On default configurations, there are unlikely to be any older
rotated files such as wtmp.2.gz but if there are, these can be uncompressed
with gzip before being imported.


Log rotation and pruning
------------------------

Logs can be rotated by the 'wtmpdb rotate' command. A systemd timer unit
is installed to do this on a monthly basis; however, this timer is not
enabled by default because of its limitations:

 1. The rotated files are dated by the latest rotated entry in the form
    wtmp_YYYYMMDD.db, rather than numerically like wtmp.1[.gz].

 2. The rotated files are saved alongside the live database in /var/lib,
    contrary to what might be expected under the FHS 3.0 followed by Debian.

 3. Rotated files are NOT pruned [1], as they would be by logrotate(8).
    If you need to prune old logs then this will require custom scripts as
    logrotate cannot be configured to achieve this.

Use 'systemctl enable wtmpdb-rotate.timer' to enable rotation.

Users needing to remove old login records for regulatory purposes will need to
implement a pruning function in addition to rotating the database. logrotate(8)
may be suitable for this purpose instead of the installed systemd timer.

[1] https://bugs.debian.org/1094965


 -- Andrew Bower <andrew@bower.uk>  Sun,  4 May 2025 18:10:00 +0100