The utmp file, the wtmp file, and the failedlogin file contain records with user and accounting information. When a user successfully logs in, the login program writes entries in two files.
- The /etc/utmp file, which contains a record of users logged into the system. The command who -a processes the /etc/utmp file, and if this file is corrupted or missing, no output is generated from the who command.
- The /var/adm/wtmp file (if it exists), which contains connect-time accounting records.
On an invalid login attempt, due to an incorrect login name or password, the login program makes an entry in the /etc/security/failed login file, which contains a record of unsuccessful login attempts.