Linux is a multi-user system. It is always important to know who has logged into your Linux box.This isn’t just to help track the activities of malicious users, but mostly to figure out who made the mistake that crashed the system. We collect 6 Linux commands for this task.
The following Linux commands can be used to check logged in users.
- w This command shows who’s logged in and what they are doing.
- who The who command in Linux displays a list of all the users who are currently logged in to the system.
- whoami The whoami command displays the username of the current user.
- id The id command Print user and group information for the logged user
- last The last command shows list of last logged in users
- tail -f /var/log/secure
check logged in users with w command in Linux
The best Linux command to check the logged-in users is using w command. All we need is to open the terminal then type w in the prompt. This command shows who’s logged in and what they are doing. It displays information about current users on the machine by reading the file /var/run/utmp, and their processes from /proc.
The procedure to check logged-in users in Linux is as follows:
- Open the terminal application.
- Type w to check the user
- Press Enter to run the command.
- The output will display the users that are currently logged in. This includes their username, where they are logged in from, and what they are currently doing
The header shows, in this order, the current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes. The following entries are displayed for each user: login name, the tty name, the remote host, login time, idle time, JCPU, PCPU, and the command line of their current process.
12:05:34 up 8 days, 2:30, 1 user, load average: 0.08, 0.02, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ocp pts/0 64.104.125.239 12:05 3.00s 0.02s 0.02s w
check logged in users with Who command in Linux
who – The who command prints information about all users who are currently logged in. It reads from a default file location (usually /var/run/utmp).
$ who
ocp pts/0 Jan 26 12:05 (64.104.125.239)
check logged in users with whoami command in Linux
whoami – The whoami command shows you which user account you’re logged in to from a terminal window.
$ whoami
ocp
check logged in users with id command in Linux
id – The id command Print user and group information for the specified username
$ id
uid=50291(ocp) gid=50291(ocp) groups=50291(ocp) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
check logged in users with last command in Linux
last – The last command shows list of last logged in users by searching the data from /var/log/wtmp file. Also it shows system reboot information.
$ sudo last
ocp pts/0 64.104.125.239 Wed Jan 26 12:05 still logged in
ocp pts/0 64.104.125.239 Wed Jan 26 08:59 – 09:09 (00:10)
check logged in users from log file in Linux
tail -f /var/log/secure – It is mainly used to track the usage of authorization systems.It stores all security related messages including authentication failures.It also tracks sudo logins, SSH logins and other errors logged by system security services daemon.
Jan 26 12:08:06 ip-172-31-37-167 sudo[31036]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 26 12:08:06 ip-172-31-37-167 sudo[31036]: pam_unix(sudo:session): session opened for user root by ocp(uid=0)