wtmpdb in Debian
----------------

In Debian 13 "trixie", login and reboot records are recorded by the 'wtmpdb'
solution in an sqlite3 database file. This document identifies differences in
behaviour since earlier Debian releases that may require action by system
administators.


Log location
------------

The datafile for the login and reboot records is stored in the tool's state
directory '/var/lib/wtmpdb' instead of the system log directory '/var/log'.


Logging SSH sessions
--------------------

Login sessions are recorded by default when libpam-wtmpdb is installed but
when recorded this way the details may be limited, missing the terminal name.

The SSH daemon provided by openssh-server can record richer login information
directly with libwtmpdb0. To avoid duplicate login entries, libpam-wtmpdb is
therefore installed with a default configuration that skips recording logins
from sshd. When an alternative ssh daemon or a version of openssh-server
compiled without wtmpdb integration is installed, this may result in no logins
being recorded. To restore recording of ssh login sessions via the pam module,
edit /etc/pam.d/common-session and remove the option 'skip_if=sshd' from the
'pam_wtmpdb.so' line.


Log rotation and pruning
------------------------

Logs are rotated by the 'wtmpdb rotate' command, initiated by systemd timer
or cron job:

 1. The rotated files are dated by the latest rotated entry in the form
    wtmp_YYYYMMDD.db, rather than numerically like wtmp.1[.gz].

 2. The rotated files are saved alongside the live database in /var/lib,
    contrary to what might be expected under the FHS 3.0 followed by Debian.

 3. Rotated files are NOT pruned [1], as they would be by logrotate(8).
    If you need to prune old logs then this will require custom scripts as
    logrotate cannot be configured to achieve this.

[1] https://bugs.debian.org/1094965


 -- Andrew Bower <andrew@bower.uk>  Fri, 11 Apr 2025 21:53:11 +0100