In a proposal discussed on the linux-api mailing list, there is a proposal to replace legacy binary syslog formats such as lastlog, btmp, utmp, and wtmp with new shared libraries using SQLite as a backend. The aim of this initiative is to address various issues including the overflow of 32-bit time counters in 2038, lack of extensibility, poor query performance, and lack of write atomicity. The proposal can be found here and here.
Currently, Linux uses specific binaries to store session and authentication attempt data, each with a fixed structure: lastlog for last login time, btmp for failed login attempts, utmp for current sessions, and wtmp for history of inputs and outputs. The structure of these files has been in place for decades, but it has fundamental limitations.
One major concern is that the time counters in these files are based on 32-bit integers, which will overflow on January 19, 2038, affecting all Linux installations. Additionally, the fixed size of records makes it difficult to add new fields without significant format changes. Utilities like last, lastb, who, and lastlog have to linearly iterate over files with no efficient way to filter records, resulting in high I/O load and query latency.
To address these issues, the proposal suggests moving away from binary formats and creating specialized shared libraries using SQLite. Separate libraries like liblastlog2, libbtmp2, libutmp2, and libwtmp2 would be created, all working with SQLite databases with 64-bit timestamps and indexes for improved performance. This approach allows for adding new fields without compatibility issues and ensures atomicity in record writing.
Using SQLite offers benefits such as storing epochal time with 64-bit INTEGER type, reduced I/O through indexes, flexibility in adding new fields, and support for ACID transactions.