Identifying who has logged into your system in Linux is way easier than the Windows Operating System.
In Linux System whenever someone tries to log in using SSH is recorded by the log file, the log file is located in /var/log/auth.log. Location can be different in other distributions.
If you have not found auth.log file in your system, try to execute the below command to view the log from systemctl.
journalctl -u sshd |tail -100
- -u (Show the user journal for the current)
- sshd (SSH user created by the system by default)
- tail -100 (Print top 100 result from the log file)
Get the running process of the logged-in user using w
W command shows who is logged in your system right now with there name, PID, CPU Process, etc.
- USER (Display name of the logged user)
- TTY (User machine no or TTY Teletype)
- LOGIN (User login time)
- IDLE (User not usable time)
- JCPU (Time user by all process attached to the tty)
- PCPU (Time used by current process)
- WHAT (Command currently executing by users)
Following option can be used by w command.
- -h (Ignore header like USER, TTY, LOGIN, IDLE, JCPU, PCPU, WHAT)
- -u (Ignore current user process name)
- -s (Display only USER, TTY, IDLE, WHAT header information)
- -i (Display IP of remote user)
Get logged in user name and process using who command
Who command is used to get list of logged user login name, process id, and time.
Display the username, line, and time of all currently logged-in sessions:
Display information only for the current terminal session:
who am i
Display all available information:
Display all available information with table headers:
who -a -H
Feel free to ask your query.
Innovative tech mind with 12 years of experience working as a computer programmer, web developer, and security researcher. Capable of working with a variety of technology and software solutions, and managing databases.