Linux is a multi-user system. It is always important to know who has logged into your Linux box. This isn’t just to help track the activities of malicious users, but mostly to figure out who made the mistake that crashed the system.
We collect 6 Linux commands for this task.
The following Linux commands can be used to check logged-in users.
- w This command shows who’s logged in and what they are doing.
- who The who command in Linux displays a list of all the users who are currently logged in to the system.
- whoami The whoami command displays the username of the current user.
- id The id command Print user and group information for the logged user
- last The last command shows the list of the last logged in users
- tail -f /var/log/secure
Table of Contents
check logged in users with w command in Linux
The best Linux command to check the logged-in users is using w command. All we need is to open the terminal then type w in the prompt. This command shows who’s logged in and what they are doing.
It displays information about current users on the machine by reading the file /var/run/utmp, and their processes from /proc.
The procedure to check logged-in users in Linux is as follows:
- Open the terminal application.
- Type w to check the user
- Press Enter to run the command.
- The output will display the users that are currently logged in. This includes their username, where they are logged in from, and what they are currently doing
Here’s an example output of the w command:
10:15:21 up 1 day, 2:30, 3 users, load average: 0.12, 0.10, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user1 tty1 - 10:15 0.00s 0.01s 0.00s w
user2 pts/0 192.168.1.100 09:45 1:30 0.20s 0.05s sshd: user2@pts/0
user3 pts/1 192.168.1.101 08:30 2.50s 0.50s 0.10s top
In the example above:
The first line provides system-related information, including the current time, uptime, number of logged-in users, and the system load average.
The subsequent lines display the information for each logged-in user. It includes the username, terminal, remote host (if applicable), login time, idle time, JCPU (total CPU time for all processes), PCPU (CPU time for the current process), and the command or process associated with the session.
There are 3 users in this system. Each line corresponds to a user session and provides various details about the session.
| Username | user1 |
| Terminal | tty1 |
| Remote Host | – |
| Login Time | 10:15 |
| Idle Time | 0.00s |
| JCPU | 0.01s |
| PCPU | 0.00s |
| Command | w |
check logged in users with Who command in Linux
who – The who command prints information about all users who are currently logged in. It reads from a default file location (usually /var/run/utmp).
$ who
ocp pts/0 Jan 26 12:05 (64.104.125.239)
The who command in Linux is used to display information about the currently logged-in users on the system.
When you run the who command without any options, it will display a list of logged-in users with the following details:
1. Username: The username of the logged-in user.
2. Terminal: The name of the terminal or device where the user is logged in. It can be a physical terminal or a remote session.
3. Date and time: The login date and time when the user session was initiated.
Here’s an example output of the `who` command:
user1 tty1 2023-06-25 10:15
user2 pts/0 2023-06-25 09:45 (:0)
user3 pts/1 2023-06-25 08:30 (:1)
In the example above, there are three logged-in users:
1. user1 is logged in on tty1 (a physical terminal) and logged in at 10:15.
2. user2 is logged in on pts/0, which indicates a pseudo-terminal or a remote session. The session is associated with display `:0` (X display).
3. user3 is logged in on pts/1 and associated with display `:1`.
The `who` command provides a quick overview of the currently active user sessions on the system.
check logged in users with whoami command in Linux
whoami – The whoami command shows you which user account you’re logged in to from a terminal window.
$ whoami
ocp
The whoami command in Linux is used to display the username of the current user who is executing the command. When you run the whoami command, it simply returns the username associated with the current user session.
Here’s an example:
$ whoami
user1
In the example above, the whoami command returns user1, indicating that the current user executing the command is logged in as user1.
The whoami command is useful in scripts or command-line operations where you need to know the username of the current user without explicitly specifying it. It provides a convenient way to retrieve the current user’s identity within a shell session.
check logged in users with id command in Linux
id – The id command Print user and group information for the specified username
$ id
uid=50291(ocp) gid=50291(ocp) groups=50291(ocp) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The id command in Linux is used to display information about the current user or a specified user. When you run the id command without any options, it provides the following information about the current user:
- User ID (UID): The numerical identification assigned to the user by the system.
- Group ID (GID): The numerical identification assigned to the user’s primary group.
- User and Group Names: The names of the user and primary group.
- Supplementary Group IDs: The numerical identification of any additional groups that the user belongs to.
Here’s an example output of the id command for the current user:
$ id
uid=1000(username) gid=1000(groupname) groups=1000(groupname),10(wheel)
The id command also allows you to specify a username as an argument to retrieve information about a specific user. For example:
$ id anotheruser
uid=2000(anotheruser) gid=2000(anothergroup) groups=2000(anothergroup),3000(somegroup)
In the example above, the id anotheruser command displays information about the user anotheruser, including their UID, GID, user and group names, and supplementary group IDs.
The id command is useful for obtaining detailed information about user and group identities, which can be beneficial for system administration, access control, and verifying user permissions and group memberships.
check logged in users with last command in Linux
last – The last command shows list of last logged in users by searching the data from /var/log/wtmp file. Also it shows system reboot information.
$ sudo last
ocp pts/0 64.104.125.239 Wed Jan 26 12:05 still logged in
ocp pts/0 64.104.125.239 Wed Jan 26 08:59 – 09:09 (00:10)
The `last` command in Linux is used to display a list of recently logged-in users and their corresponding login history. When you run the `last` command without any options, it provides a chronological list of the most recent user logins, including the following information:
- Username: The username of the logged-in user.
- Terminal: The name of the terminal or device where the user logged in. It can be a physical terminal or a remote session.
- Remote Host: The IP address or hostname of the remote machine from which the user connected (if applicable).
- Login Time: The date and time when the user session was initiated.
- Logout Time: The date and time when the user session ended (if the user has logged out).
- Duration: The duration of the user’s session.
Here’s an example output of the `last` command:
user1 tty1 Thu Jun 24 09:30 still logged in
user2 pts/0 Wed Jun 23 17:45 still logged in (192.168.1.100)
user3 pts/1 Wed Jun 23 15:20 Thu Jun 24 09:00 (192.168.1.101)
In the example above:
`user1` is currently logged in on `tty1` (a physical terminal) since Thu Jun 24 09:30 and is still logged in.
`user2` is logged in on `pts/0` (a pseudo-terminal or remote session) since Wed Jun 23 17:45 and is still logged in. The session is associated with the remote host `192.168.1.100`.
`user3` logged in on `pts/1` since Wed Jun 23 15:20 and logged out on Thu Jun 24 09:00. The session was associated with the remote host `192.168.1.101`.
The `last` command is helpful for monitoring user logins, identifying active sessions, and checking the duration of user sessions. It can be used to track user activity, troubleshoot login issues, or investigate security incidents by examining login history.
check logged in users from log file in Linux
tail -f /var/log/secure – It is mainly used to track the usage of authorization systems.It stores all security related messages including authentication failures.It also tracks sudo logins, SSH logins and other errors logged by system security services daemon.
Jan 26 12:08:06 ip-172-31-37-167 sudo[31036]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 26 12:08:06 ip-172-31-37-167 sudo[31036]: pam_unix(sudo:session): session opened for user root by ocp(uid=0)
The command tail -f /var/log/secure is used to monitor the /var/log/secure file in real-time.
Here’s a breakdown of the command:
- tail: It is a command-line utility in Linux used to display the end (tail) of a file.
- -f: It is an option for the tail command that stands for “follow.” When used with the -f option, tail will continuously monitor the file and display new lines as they are appended to the file.
- /var/log/secure: It is the path to the log file being monitored. In this case, it refers to the /var/log/secure file, which is commonly used to store security-related logs on Linux systems, including authentication attempts, successful logins, and other security events.