diff --git a/dissect/target/plugins/os/unix/log/btmp.py b/dissect/target/plugins/os/unix/log/btmp.py
deleted file mode 100644
index 4624045af..000000000
--- a/dissect/target/plugins/os/unix/log/btmp.py
+++ /dev/null
@@ -1,63 +0,0 @@
-import socket
-import struct
-
-from dissect.util.ts import from_unix
-
-from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import Plugin, export
-from dissect.target.plugins.os.unix.log.utmp import UtmpFile, utmp
-
-BtmpRecord = TargetRecordDescriptor(
-    "linux/log/btmp",
-    [
-        ("datetime", "ts"),
-        ("string", "ut_type"),
-        ("string", "ut_user"),
-        ("varint", "ut_pid"),
-        ("string", "ut_line"),
-        ("string", "ut_id"),
-        ("string", "ut_host"),
-        ("net.ipaddress", "ut_addr"),
-    ],
-)
-
-
-class BtmpPlugin(Plugin):
-    """btmp log records failed login attempts"""
-
-    def check_compatible(self):
-        check = list(self.target.fs.glob("/var/log/btmp*"))
-        return len(check) > 0
-
-    @export(record=[BtmpRecord])
-    def btmp(self):
-        """Return failed login attempts stored in the btmp file.
-
-        On a Linux system, failed login attempts are stored in the btmp file located in the var/log/ folder.
-
-        References:
-            - https://en.wikipedia.org/wiki/Utmp
-            - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/
-        """
-        btmp_paths = self.target.fs.glob("/var/log/btmp*")
-        for btmp_path in btmp_paths:
-            if "gz" in btmp_path:
-                btmp = UtmpFile(self.target.fs.open(btmp_path), compressed=True)
-            else:
-                btmp = UtmpFile(self.target.fs.open(btmp_path))
-            r_type = ""
-            for entry in btmp:
-                if entry.ut_type in utmp.Type.reverse:
-                    r_type = utmp.Type.reverse[entry.ut_type]
-
-                yield BtmpRecord(
-                    ts=from_unix(entry.ut_tv.tv_sec),
-                    ut_type=r_type,
-                    ut_pid=entry.ut_pid,
-                    ut_user=entry.ut_user.decode().strip("\x00"),
-                    ut_line=entry.ut_line.decode().strip("\x00"),
-                    ut_id=entry.ut_id.decode().strip("\x00"),
-                    ut_host=entry.ut_host.decode().strip("\x00"),
-                    ut_addr=socket.inet_ntoa(struct.pack("<i", entry.ut_addr_v6[0])),
-                    _target=self.target,
-                )
diff --git a/dissect/target/plugins/os/unix/log/utmp.py b/dissect/target/plugins/os/unix/log/utmp.py
index 05dd29b2d..76a9a1abb 100644
--- a/dissect/target/plugins/os/unix/log/utmp.py
+++ b/dissect/target/plugins/os/unix/log/utmp.py
@@ -1,7 +1,43 @@
 import gzip
+import ipaddress
+import struct
+from collections import namedtuple
+from typing import Iterator
 
-from dissect import cstruct
+from dissect.cstruct import cstruct
 from dissect.util.stream import BufferedStream
+from dissect.util.ts import from_unix
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import OperatingSystem, Plugin, export
+from dissect.target.target import Target
+
+UTMP_FIELDS = [
+    ("datetime", "ts"),
+    ("string", "ut_type"),
+    ("string", "ut_user"),
+    ("varint", "ut_pid"),
+    ("string", "ut_line"),
+    ("string", "ut_id"),
+    ("string", "ut_host"),
+    ("net.ipaddress", "ut_addr"),
+]
+
+BtmpRecord = TargetRecordDescriptor(
+    "linux/log/btmp",
+    [
+        *UTMP_FIELDS,
+    ],
+)
+
+WtmpRecord = TargetRecordDescriptor(
+    "linux/log/wtmp",
+    [
+        *UTMP_FIELDS,
+    ],
+)
 
 c_utmp = """
 #define UT_LINESIZE     32
@@ -43,21 +79,39 @@
     struct  exit_status ut_exit;
     long    ut_session;
     struct  timeval ut_tv;
-    int32_t ut_addr_v6[4];
+    int32_t ut_addr_v6[4];         // Internet address of remote host; IPv4 address uses just ut_addr_v6[0]
     char    __unused[20];
 };
-"""
+"""  # noqa: E501
 
-utmp = cstruct.cstruct()
+utmp = cstruct()
 utmp.load(c_utmp)
 
+UTMP_ENTRY = namedtuple(
+    "UTMPRecord",
+    [
+        "ts",
+        "ut_type",
+        "ut_user",
+        "ut_pid",
+        "ut_line",
+        "ut_id",
+        "ut_host",
+        "ut_addr",
+    ],
+)
+
 
 class UtmpFile:
     """utmp maintains a full accounting of the current status of the system"""
 
-    def __init__(self, fh, compressed=False):
-        self.fh = fh
-        self.compressed = compressed
+    def __init__(self, target: Target, path: TargetPath):
+        self.fh = target.fs.path(path).open()
+
+        if "gz" in path:
+            self.compressed = True
+        else:
+            self.compressed = False
 
     def __iter__(self):
         if self.compressed:
@@ -68,6 +122,116 @@ def __iter__(self):
 
         while True:
             try:
-                yield utmp.entry(byte_stream)
+                entry = utmp.entry(byte_stream)
+
+                r_type = ""
+                if entry.ut_type in utmp.Type.reverse:
+                    r_type = utmp.Type.reverse[entry.ut_type]
+
+                ut_host = entry.ut_host.decode(errors="surrogateescape").strip("\x00")
+                ut_addr = None
+
+                # UTMP misuses the field ut_addr_v6 for IPv4 and IPv6 addresses, because of this the ut_host field
+                # is used to determine if the ut_addr_v6 is an IPv6 address where the last 12 bytes of trailing zeroes.
+                if entry.ut_addr_v6:
+                    if not entry.ut_addr_v6[1:] == [0, 0, 0]:
+                        # IPv6 address that uses > 4 bytes
+                        ut_addr = ipaddress.ip_address(struct.pack("<4i", *entry.ut_addr_v6))
+                    else:
+                        try:
+                            if isinstance(ipaddress.ip_address(ut_host), ipaddress.IPv6Address):
+                                # IPv6 address that uses 4 bytes with 12 bytes of trailing zeroes.
+                                ut_addr = ipaddress.ip_address(struct.pack("<4i", *entry.ut_addr_v6))
+                            elif isinstance(ipaddress.ip_address(ut_host), ipaddress.IPv4Address):
+                                # IPv4 address (ut_host, ut_addr_v6)
+                                ut_addr = ipaddress.ip_address(struct.pack("<i", entry.ut_addr_v6[0]))
+                            else:
+                                pass
+                        except ValueError:
+                            # NOTE: in case the ut_host does not contain a valid IPv6 address,
+                            # ut_addr_v6 is parsed as IPv4 address. This could not lead to incorrect results.
+                            ut_addr = ipaddress.ip_address(struct.pack("<i", entry.ut_addr_v6[0]))
+
+                utmp_entry = UTMP_ENTRY(
+                    ts=from_unix(entry.ut_tv.tv_sec),
+                    ut_type=r_type,
+                    ut_pid=entry.ut_pid,
+                    ut_user=entry.ut_user.decode(errors="surrogateescape").strip("\x00"),
+                    ut_line=entry.ut_line.decode(errors="surrogateescape").strip("\x00"),
+                    ut_id=entry.ut_id.decode(errors="surrogateescape").strip("\x00"),
+                    ut_host=ut_host,
+                    ut_addr=ut_addr,
+                )
+
+                yield utmp_entry
             except EOFError:
                 break
+
+
+class UtmpPlugin(Plugin):
+    WTMP_GLOB = "/var/log/wtmp*"
+    BTMP_GLOB = "/var/log/btmp*"
+
+    def check_compatible(self) -> None:
+        if not self.target.os == OperatingSystem.LINUX and not any(
+            [
+                list(self.target.fs.glob(self.BTMP_GLOB)),
+                list(self.target.fs.glob(self.WTMP_GLOB)),
+            ]
+        ):
+            raise UnsupportedPluginError("No WTMP or BTMP log files found")
+
+    @export(record=[BtmpRecord])
+    def btmp(self) -> Iterator[BtmpRecord]:
+        """Return failed login attempts stored in the btmp file.
+
+        On a Linux system, failed login attempts are stored in the btmp file located in the var/log/ folder.
+
+        References:
+            - https://en.wikipedia.org/wiki/Utmp
+            - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/
+        """
+        btmp_paths = self.target.fs.glob(self.BTMP_GLOB)
+        for btmp_path in btmp_paths:
+            btmp = UtmpFile(self.target, btmp_path)
+
+            for entry in btmp:
+                yield BtmpRecord(
+                    ts=entry.ts,
+                    ut_type=entry.ut_type,
+                    ut_pid=entry.ut_pid,
+                    ut_user=entry.ut_user,
+                    ut_line=entry.ut_line,
+                    ut_id=entry.ut_id,
+                    ut_host=entry.ut_host,
+                    ut_addr=entry.ut_addr,
+                    _target=self.target,
+                )
+
+    @export(record=[WtmpRecord])
+    def wtmp(self) -> Iterator[WtmpRecord]:
+        """Return the content of the wtmp log files.
+
+        The wtmp file contains the historical data of the utmp file. The utmp file contains information about users
+        logins at which terminals, logouts, system events and current status of the system, system boot time
+        (used by uptime) etc.
+
+        References:
+            - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/
+        """
+        wtmp_paths = self.target.fs.glob(self.WTMP_GLOB)
+        for wtmp_path in wtmp_paths:
+            wtmp = UtmpFile(self.target, wtmp_path)
+
+            for entry in wtmp:
+                yield WtmpRecord(
+                    ts=entry.ts,
+                    ut_type=entry.ut_type,
+                    ut_pid=entry.ut_pid,
+                    ut_user=entry.ut_user,
+                    ut_line=entry.ut_line,
+                    ut_id=entry.ut_id,
+                    ut_host=entry.ut_host,
+                    ut_addr=entry.ut_addr,
+                    _target=self.target,
+                )
diff --git a/dissect/target/plugins/os/unix/log/wtmp.py b/dissect/target/plugins/os/unix/log/wtmp.py
deleted file mode 100644
index ea278b4ca..000000000
--- a/dissect/target/plugins/os/unix/log/wtmp.py
+++ /dev/null
@@ -1,62 +0,0 @@
-import socket
-import struct
-
-from dissect.util.ts import from_unix
-
-from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import Plugin, export
-from dissect.target.plugins.os.unix.log.utmp import UtmpFile, utmp
-
-WtmpRecord = TargetRecordDescriptor(
-    "linux/log/wtmp",
-    [
-        ("datetime", "ts"),
-        ("string", "ut_type"),
-        ("string", "ut_user"),
-        ("varint", "ut_pid"),
-        ("string", "ut_line"),
-        ("string", "ut_id"),
-        ("string", "ut_host"),
-        ("net.ipaddress", "ut_addr"),
-    ],
-)
-
-
-class WtmpPlugin(Plugin):
-    def check_compatible(self):
-        check = list(self.target.fs.glob("/var/log/wtmp*"))
-        return len(check) > 0
-
-    @export(record=[WtmpRecord])
-    def wtmp(self):
-        """Return the content of the wtmp log files.
-
-        The wtmp file contains the historical data of the utmp file. The utmp file contains information about users
-        logins at which terminals, logouts, system events and current status of the system, system boot time
-        (used by uptime) etc.
-
-        References:
-            - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/
-        """
-        wtmp_paths = self.target.fs.glob("/var/log/wtmp*")
-        for wtmp_path in wtmp_paths:
-            if "gz" in wtmp_path:
-                wtmp = UtmpFile(self.target.fs.open(wtmp_path), compressed=True)
-            else:
-                wtmp = UtmpFile(self.target.fs.open(wtmp_path))
-            r_type = ""
-            for entry in wtmp:
-                if entry.ut_type in utmp.Type.reverse:
-                    r_type = utmp.Type.reverse[entry.ut_type]
-
-                yield WtmpRecord(
-                    ts=from_unix(entry.ut_tv.tv_sec),
-                    ut_type=r_type,
-                    ut_pid=entry.ut_pid,
-                    ut_user=entry.ut_user.decode().strip("\x00"),
-                    ut_line=entry.ut_line.decode().strip("\x00"),
-                    ut_id=entry.ut_id.decode().strip("\x00"),
-                    ut_host=entry.ut_host.decode().strip("\x00"),
-                    ut_addr=socket.inet_ntoa(struct.pack("<i", entry.ut_addr_v6[0])),
-                    _target=self.target,
-                )
diff --git a/tests/conftest.py b/tests/conftest.py
index 0c80f9272..e003e0d95 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -60,6 +60,15 @@ def fs_unix():
     yield fs
 
 
+@pytest.fixture
+def fs_linux():
+    fs = VirtualFilesystem()
+    fs.makedirs("var")
+    fs.makedirs("etc")
+    fs.makedirs("opt")
+    yield fs
+
+
 @pytest.fixture
 def fs_osx():
     fs = VirtualFilesystem()
@@ -131,6 +140,16 @@ def target_unix(fs_unix):
     yield mock_target
 
 
+@pytest.fixture
+def target_linux(fs_linux):
+    mock_target = next(make_mock_target())
+
+    mock_target.filesystems.add(fs_linux)
+    mock_target.fs.mount("/", fs_linux)
+    mock_target.apply()
+    yield mock_target
+
+
 @pytest.fixture
 def target_osx(fs_osx):
     mock_target = next(make_mock_target())
diff --git a/tests/data/unix/logs/atop b/tests/data/plugins/os/unix/log/atop/atop
similarity index 100%
rename from tests/data/unix/logs/atop
rename to tests/data/plugins/os/unix/log/atop/atop
diff --git a/tests/data/unix/logs/btmp b/tests/data/plugins/os/unix/log/btmp/btmp
similarity index 100%
rename from tests/data/unix/logs/btmp
rename to tests/data/plugins/os/unix/log/btmp/btmp
diff --git a/tests/data/plugins/os/unix/log/btmp/btmp-ipv6 b/tests/data/plugins/os/unix/log/btmp/btmp-ipv6
new file mode 100644
index 000000000..e66d34739
Binary files /dev/null and b/tests/data/plugins/os/unix/log/btmp/btmp-ipv6 differ
diff --git a/tests/data/unix/logs/lastlog b/tests/data/plugins/os/unix/log/lastlog/lastlog
similarity index 100%
rename from tests/data/unix/logs/lastlog
rename to tests/data/plugins/os/unix/log/lastlog/lastlog
diff --git a/tests/data/unix/logs/wtmp b/tests/data/plugins/os/unix/log/wtmp/wtmp
similarity index 100%
rename from tests/data/unix/logs/wtmp
rename to tests/data/plugins/os/unix/log/wtmp/wtmp
diff --git a/tests/data/plugins/os/unix/log/wtmp/wtmp-ipv6 b/tests/data/plugins/os/unix/log/wtmp/wtmp-ipv6
new file mode 100644
index 000000000..0a528fc74
Binary files /dev/null and b/tests/data/plugins/os/unix/log/wtmp/wtmp-ipv6 differ
diff --git a/tests/test_plugins_os_unix_log.py b/tests/test_plugins_os_unix_log.py
index 63fbd1c64..8ad47b115 100644
--- a/tests/test_plugins_os_unix_log.py
+++ b/tests/test_plugins_os_unix_log.py
@@ -1,20 +1,42 @@
 from datetime import datetime, timezone
 
+from dissect.target import Target
+from dissect.target.filesystem import VirtualFilesystem
 from dissect.target.plugins.os.unix.log.atop import AtopPlugin
-from dissect.target.plugins.os.unix.log.btmp import BtmpPlugin
 from dissect.target.plugins.os.unix.log.lastlog import LastLogPlugin
-from dissect.target.plugins.os.unix.log.wtmp import WtmpPlugin
+from dissect.target.plugins.os.unix.log.utmp import UtmpPlugin
 
 from ._utils import absolute_path
 
 
-def test_wtmp_plugin(target_unix, fs_unix):
-    data_file = absolute_path("data/unix/logs/wtmp")
-    fs_unix.map_file("var/log/wtmp", data_file)
+def test_utmp_ipv6(target_linux: Target, fs_linux: VirtualFilesystem) -> None:
+    data_file = absolute_path("data/plugins/os/unix/log/btmp/btmp-ipv6")
+    fs_linux.map_file("var/log/btmp", data_file)
 
-    target_unix.add_plugin(WtmpPlugin)
+    target_linux.add_plugin(UtmpPlugin)
 
-    results = list(target_unix.wtmp())
+    results = list(target_linux.btmp())
+
+    # IPv4 address
+    results[0].ut_host == "127.0.0.1"
+    results[0].ut_addr == "127.0.0.1"
+
+    # IPv6 address
+    results[4].ut_host == "1337::1"
+    results[4].ut_addr == "1337::1"
+
+    # IPv6 address with 12 bytes of trailing zeroes
+    results[5].ut_host == "1337:1::"
+    results[5].ut_addr == "1337:1::"
+
+
+def test_wtmp_plugin(target_linux: Target, fs_linux: VirtualFilesystem) -> None:
+    data_file = absolute_path("data/plugins/os/unix/log/wtmp/wtmp")
+    fs_linux.map_file("var/log/wtmp", data_file)
+
+    target_linux.add_plugin(UtmpPlugin)
+
+    results = list(target_linux.wtmp())
     assert len(results) == 70
     result = results[-1]
     assert result.ts == datetime(2021, 11, 12, 10, 12, 54, tzinfo=timezone.utc)
@@ -27,13 +49,13 @@ def test_wtmp_plugin(target_unix, fs_unix):
     assert result.ut_addr == "0.0.0.0"
 
 
-def test_lastlog_plugin(target_unix_users, fs_unix):
-    data_file = absolute_path("data/unix/logs/lastlog")
-    fs_unix.map_file("/var/log/lastlog", data_file)
+def test_lastlog_plugin(target_linux: Target, fs_linux: VirtualFilesystem) -> None:
+    data_file = absolute_path("data/plugins/os/unix/log/lastlog/lastlog")
+    fs_linux.map_file("/var/log/lastlog", data_file)
 
-    target_unix_users.add_plugin(LastLogPlugin)
+    target_linux.add_plugin(LastLogPlugin)
 
-    results = list(target_unix_users.lastlog())
+    results = list(target_linux.lastlog())
     assert len(results) == 1
 
     assert results[0].ts == datetime(2021, 12, 8, 16, 14, 6, tzinfo=timezone.utc)
@@ -43,13 +65,13 @@ def test_lastlog_plugin(target_unix_users, fs_unix):
     assert results[0].ut_tty == "pts/0"
 
 
-def test_btmp_plugin(target_unix, fs_unix):
-    data_file = absolute_path("data/unix/logs/btmp")
-    fs_unix.map_file("var/log/btmp", data_file)
+def test_btmp_plugin(target_linux: Target, fs_linux: VirtualFilesystem) -> None:
+    data_file = absolute_path("data/plugins/os/unix/log/btmp/btmp")
+    fs_linux.map_file("var/log/btmp", data_file)
 
-    target_unix.add_plugin(BtmpPlugin)
+    target_linux.add_plugin(UtmpPlugin)
 
-    results = list(target_unix.btmp())
+    results = list(target_linux.btmp())
     assert len(results) == 10
     result = results[-1]
     assert result.ts == datetime(2021, 11, 30, 23, 2, 9, tzinfo=timezone.utc)
@@ -62,8 +84,8 @@ def test_btmp_plugin(target_unix, fs_unix):
     assert result.ut_addr == "8.210.13.5"
 
 
-def test_atop_plugin(target_unix, fs_unix):
-    data_file = absolute_path("data/unix/logs/atop")
+def test_atop_plugin(target_unix: Target, fs_unix: VirtualFilesystem) -> None:
+    data_file = absolute_path("data/plugins/os/unix/log/atop/atop")
     fs_unix.map_file("var/log/atop/atop_20221111", data_file)
 
     target_unix.add_plugin(AtopPlugin)