Why is my CPU fan screaming like crazy, and I’m not running any services or applications in the background? What’s wrong happen with a system? Honestly, I like when a CPU fan makes a noise. Oh, cruel boy.
Nevertheless, it is an alarming situation for me, Let me get into my system, and I’ll catch you in a while.
Uh-huh, Bob was connected remotely through an SSH connection.
Have you ever encounter this kind of situation? or you are curious who has logged into your system in your absence? Whatever the reason, maybe I’ll get solutions for you.
In all, GNU/Linux Distributions has many commands that show you who has logged into your system with many details like uptime, system load average, executed command, and other important information.
Table of Contents
List of Commands to check who has logged in to Linux
- w:- This command is good when you want to check users, idle time, and process time
- who:- Simply show users how it’s connected and at what time
- users:- List out all currently logged users
- last:- Show when the user logged in and logged out
Now you know what all commands options are available to us, let see how we can use them in our system to find logged users.
w command
w command can also be used as an alternative to uptime command with more intuitive details like USER, TTY, FROM, LOGIN@, IDLE, JCPU, PCPU, and WHAT
To check current users using w command, pass the below command:
$ w
08:49:15 up 22:31, 4 users, load average: 1.10, 1.34, 1.32
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
trendoce pts/1 :0 07:55 1.00s 1.50s 0.01s w
bob pts/2 192.168.0.100 08:49 46.30 0.02s 0.02s -bash
tim pts/3 192.168.0.104 09:34 6.00s 0.02s 0.02s -bash
bob tty3 - 09:37 29.00s 0.06s 0.02s -bash
The output will display the current time with total system hours of awake, a total number of users, and the last load average.
- USER:- Currently logged in username
- TTY:- Show information about the terminal used to log on. In the above output, pts/1 mean pseudo terminal slave and sequence number.
- FROM:- If you do login from a konsole, gnome-terminal, it will display :0. In the case of SSH connection, :0 will replace with the respective source IP address or hostname.
- LOGIN@:- The Time when the user made a login
- IDLE:- The Time between the last command fired
- JCPU:- A CPU time used by individual login or tty.
- PCPU:-The time consumed by the current process
- WHAT:- The command line of the current user
You can also pass different arguments, which you can view from the manual by passing the following command:
$ man w
who command
I hope most of them know about whoami have you unknowingly typed who command into your Linux terminal? “No”. Fair enough.
who command do much more than just showing the username. A default output shows TTY name, date & time, source IP address, and it can be tweaked using flags or options.
When you pass who command directly to a terminal for the first time, it may take a couple of seconds to understand the output. To avoid that, I’ll use -H options.
$ who -H
NAME LINE TIME COMMENT
trendoceans pts/1 2021-09-16 07:55 (:0)
sue pts/3 2021-09-16 09:35 (192.168.0.104)
bob tty3 2021-09-16 09:37
This was quite simple. Huh, I thought who command will do much more than w command.
Wait wait. The above output is the shorter version of who for more details, you need to pass options that will show you the last boot, PID, idle, login, and many other pieces of information.
To get everything once use -a or –all along with H for heading:
$ who -aH
NAME LINE TIME IDLE PID COMMENT EXIT
system boot 2021-09-15 15:47
run-level 5 2021-09-15 10:17
trendoceans + tty7 2021-09-15 10:18 old 18024 (:0)
trendoceans + pts/0 2021-09-15 10:18 old 18297 (:0)
trendoceans - pts/1 2021-09-16 07:55 . 42593 (:0)
pts/2 2021-09-16 11:21 46368 id=ts/2 term=0 exit=0
pts/3 2021-09-16 11:51 47248 id=ts/3 term=0 exit=0
bob - tty3 2021-09-16 09:37 03:48 47473
LOGIN tty2 2021-09-16 09:37 47560 id=tty2
LOGIN tty4 2021-09-16 09:37 47561 id=tty4
LOGIN tty5 2021-09-16 09:37 47562 id=tty5
LOGIN tty6 2021-09-16 09:37 47563 id=tty6
We can also view the current run-level, system boot, and PID with exit code. For more options or flags, use the man command
$ man who
users command
You don’t care about extra details, then the users command is best. It will print all currently logged users on a system, to see type the simple command:
users
bob trendoceans trendoceans tim sue
I think users command is best when you don’t want anything extra.
last command
The above options are worth trying. Can we have something through which we can know when the X or Y user-made login and logged out? Yes, we can track that too.
The last command can list out all the login details about a specific user or combine at once, and of course, you can filter out using the last or grep command.
To see combine results pass the following command:
$ last | less
bob tty3 Thu Sep 16 09:37 still logged in
sue pts/3 192.168.0.104 Thu Sep 16 09:37 - 11:51 (02:15)
tim pts/3 192.168.0.104 Thu Sep 16 09:34 - 09:35 (00:00)
bob pts/2 192.168.0.100 Thu Sep 16 08:49 - 11:21 (02:32)
trendoce pts/3 :0 Thu Sep 16 08:48 - 08:48 (00:00)
trendoce pts/2 192.168.0.100 Thu Sep 16 08:02 - 08:48 (00:46)
trendoce pts/1 :0 Thu Sep 16 07:55 still logged in
trendoce pts/1 :0 Wed Sep 15 10:19 - 10:19 (00:00)
trendoce pts/0 :0 Wed Sep 15 10:18 still logged in
trendoce tty7 :0 Wed Sep 15 10:18 still logged in
reboot system boot 5.10.0-8-amd64 Wed Sep 15 15:47 still running
trendoce pts/0 :0 Tue Sep 14 22:57 - crash (16:50)
The output consists of a username, terminal type, source IP address in case of SSH, date & time stamp, status, and duration.
I’ll explain output with a basic example, user bob logged in to his system using tty3 on Sep 16 time around 09:37, and status is still it depicts user is working.
Once bob finished his work, he closed his system, and status changed with logout time and duration of logging in.
bob tty3 Thu Sep 16 09:37 - 14:43 (05:06)
The last command also supports various options. Please go through with a manual once.
Wrapping up
That’s all to check who has logged into my Linux system. The output receives on STDIN comes from var/log/wtmp, /var/log/btmp, /var/run/utmp
I have covered the necessary options. If you want to learn more about a specific command, please use the manual.
Read this to:- 30 Basic commands which every Linux user should know
If you want to share something that would help others, please share it in a comment section.
Innovative tech mind with 12 years of experience working as a computer programmer, web developer, and security researcher. Capable of working with a variety of technology and software solutions, and managing databases.