6 Ways to check logged in users in linux

Table of Contents


Linux is a multi-user system. It is always important to know who has logged into your Linux box.

This isn’t just to help track the activities of malicious users, but mostly to figure out who made the mistake that crashed the system. We collect 6 Linux commands for this task.

The following Linux commands can be used to check logged in users.

  • w
  • who
  • whoami
  • id
  • last
  • tail -f /var/log/secure


check logged in users with w command

The best Linux command to check the logged-in users is using w command.  All we need is to open the terminal then type w in the prompt. This command shows who’s logged in and what they are doing. It displays information about current users on the machine by reading the file /var/run/utmp, and their processes from /proc.

The header shows, in this order, the current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes. The following entries are displayed for each user: login name, the tty name, the remote host, login time, idle time, JCPU, PCPU, and the command line of their current process.

12:05:34 up 8 days, 2:30, 1 user, load average: 0.08, 0.02, 0.01
ocp pts/0 12:05 3.00s 0.02s 0.02s w

check logged in users with Who command

who – The who command prints information about all users who are currently logged in. It reads from a default file location (usually /var/run/utmp).

$ who
ocp pts/0 Jan 26 12:05 (

check logged in users with whoami command

whoami – The whoami command shows you which user account you’re logged in to from a terminal window.

$ whoami

check logged in users with id command

id – The id command Print user and group information for the specified username

$ id
uid=50291(ocp) gid=50291(ocp) groups=50291(ocp) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

check logged in users with last command

last – The last command shows list of last logged in users by searching the data from /var/log/wtmp file. Also it shows system reboot information.

$ sudo last
ocp pts/0 Wed Jan 26 12:05 still logged in
ocp pts/0 Wed Jan 26 08:59 – 09:09 (00:10)

check logged in users from log file

tail -f /var/log/secure – It is mainly used to track the usage of authorization systems.It stores all security related messages including authentication failures.It also tracks sudo logins, SSH logins and other errors logged by system security services daemon.

Jan 26 12:08:06 ip-172-31-37-167 sudo[31036]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 26 12:08:06 ip-172-31-37-167 sudo[31036]: pam_unix(sudo:session): session opened for user root by ocp(uid=0)

Share on facebook
Share on twitter
Share on linkedin
Liquid Web Managed Word Press