There are several simple perl parsers for wtmp files, like wtmp.pl by "Brocade Blue"

http://brocadeblue.blogspot.com/2012/10/perl-script-to-parse-wtmp-logs.html

Full source of wtmp.pl with minor typos fixed:

#!/usr/bin/perl
@type = (
    "Empty", "Run Lvl", "Boot", "New Time", "Old Time", "Init",
    "Login", "Normal",  "Term", "Account"
);
$recs = "";
while (<>) { 
    $recs .= $_;
}
foreach ( split( /(.{384})/s, $recs ) ) {
    next if length(type, line, $inittab, $user, $host, t2, t4, _ =~ /(.{4})(.{4})(.{32})(.{4})(.{32})(.{256})(.{4})(.{4})(.{4})(.{4})(.{4})/s;
    if ( defined $line && $line =~ /\w/ ) {  ##FILTER
        $line =~ s/\x00+//g;
        $host =~ s/\x00+//g;
        $user =~ s/\x00+//g;
        printf(
            "%s %-8s %-12s %10s %-45s \n",
            scalar( gmtime( unpack( "I4", type[ unpack( "I4", $type ) ],
            $user,   $line,   $host
        );
    }
}
printf "\n" 

The script may not work on 64-bit machines. The "384" and long line with (.{4}) should be fixed for 64-bit environment.

PS: to see really all records, disable the expression in the if marked with "##FILTER".

All three of the files that you want to read are stored in binary format. They are not plain text files and cannot be read with a normal text editor, or by using the cat command. Doing so will result in garbled output as you have noted.

Below are the functions of each of the three files:

• The file /var/log/btmp records failed login attempts.
• The file /var/run/utmp allows one to discover information about who is currently using the system. This file will contain information on a user's logins: on which terminals, logouts, system events and the current status of the system, system boot time (used by uptime) etc.
• The file /var/log/wtmp provides an historical record of utmp data.

You can use the last command to read each of the files.

For example:

sudo last /var/log/btmp` (note: this command needs to be run using sudo)

johndoe@computer:~$ last -f /var/run/utmp
 johndoe   tty7                          Fri Jul 26 17:58   still logged in   
 reboot   system boot  3.5.0-37-generic Fri Jul 26 17:57 - 20:10 (1+02:13)  

johndoe@computer::~$ last -f /var/log/wtmp
 reboot   system boot  3.5.0-37-generic Fri Jul 26 17:57 - 20:16 (1+02:19)   
 johndoe   pts/2        :0               Fri Jul 26 17:52 - 17:55  (00:03)    
 johndoe   pts/5        :0               Fri Jul 26 12:00 - 17:55  (05:55)    
 johndoe   pts/0        :0.0             Fri Jul 26 07:11 - 11:58  (04:46)
 <snip>...

For more information see: Linux Display Date And Time Of Login and the man pages for the command "last".

Once i opened the file using less , i could only see binary data. Now logstash cant understand this data. A logstash file like the following should work fine -

input { 
  pipe {
    command => "/usr/bin/last -f /var/log/wtmp"
  }
}

output {
    elasticsearch {
    host => localhost
    protocol => "http"
    port => "9200"
    }
}

logrotate was a good idea.

Like any regular file, wtmp could have been "sparse" (cf. lseek(2) "holes" and ls -s) which can show a extreme file size that actually occupies little disk. How did the hole get there, if it was a hole? getty(8) and friends could have had a bug. Or a system crash and fsck repair could have caused it.

If you are looking to see the raw contents of wtmp, od or hd are good for peeking at binaries and have the happy side effect of showing long runs of empty as such.

Unless it recurs, I wouldn't give it much more thought. A marginally competent intruder would do a better job than that, the contents aren't all that interesting, and little depends on them.

You may want to refer to the logrotate man pages however;

• /var/log/wtmp - the file that is to be processed
• monthly - process the file the first time logrotate runs each month.
• minsize 1M - The file has to be larger than minsize bytes before it will be processed
• create ... - The new log file will be created with these permissions and owner/group
• rotate 1 - the file will only be rotated once so only one earlier version of the file will be kept.

Putting it all together

The first time logrotate runs each month, check the size of the /var/log/wtmp file and if it is larger than 1M bytes rotate it. If an earlier version of the file exists, delete the earlier version. Create a new /var/log/wtmp file owned by root of group utmp with permissions 0644.

Edit:

The wtmp file stores the login and logout information for your system. See the wtmp man page for more information.

/var/log/wtmp is not a text file but it's not compressed either. It's a binary file and to decode it you need a dedicated tool called rawtmp available with the sac package.

sudo apt-get install sac

To access wtmp logs, type in a terminal:

rawtmp | less

Or to decode the first wtmp archive:

rawtmp -w /var/log/wtmp.1 | less

EDIT: To override logrotate compression settings for wtmp you just need to edit the /etc/logrotate.conf file:

sudo gedit /etc/logrotate.conf

To add the nocompress directive:

/var/log/wtmp {
    nocompress
    missingok
    monthly
    create 0664 root utmp
    rotate 12
}

From logrotate man page:

   nocompress
          Old versions of log files are not compressed. See also compress.

man utmp says "String fields are terminated by a null byte ('\0') if they are shorter than the size of the field." So, in particular, if they are the same size as the field then they are not terminated by a null byte. Well formed C strings must be terminated by a null byte. The fact that it looks like the ut_id field is 4 characters long "ts/2" suggests that it does not have a terminating null byte.

You're printing the char arrays using the %s formatting argument to printf. This keeps printing until it reaches a null byte. I suggest that you need to copy each field of the utmp to a temporary char array, which is one bigger than the size in the utmp structure. Make sure the last byte of that temporary array is a null byte, and it should print out OK.