How to check who has logged into my Linux system

Why is my CPU fan screaming like crazy, and I’m not running any services or applications in the background? What’s wrong happen with a system? Honestly, I like when a CPU fan makes a noise. Oh, cruel boy.

Nevertheless, it is an alarming situation for me, Let me get into my system, and I’ll catch you in a while.

Uh-huh, Bob was connected remotely through an SSH connection.

Have you ever encounter this kind of situation? or you are curious who has logged into your system in your absence? Whatever the reason, maybe I’ll get solutions for you.

In all, GNU/Linux Distributions has many commands that show you who has logged into your system with many details like uptimesystem load average, executed command, and other important information.

List of Commands to check who has logged in to Linux

  • w:- This command is good when you want to check users, idle time, and process time
  • who:- Simply show users how it’s connected and at what time
  • users:- List out all currently logged users
  • last:- Show when the user logged in and logged out

Now you know what all commands options are available to us, let see how we can use them in our system to find logged users.

w command

w command can also be used as an alternative to uptime command with more intuitive details like USERTTYFROMLOGIN@IDLEJCPUPCPU, and WHAT

To check current users using  w command, pass the below command:

$ w
08:49:15 up 22:31,  4 users,  load average: 1.10, 1.34, 1.32

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
trendoce pts/1    :0               07:55    1.00s  1.50s  0.01s w
bob      pts/2    08:49    46.30  0.02s  0.02s -bash
tim      pts/3    09:34    6.00s  0.02s  0.02s -bash
bob      tty3     -                09:37   29.00s  0.06s  0.02s -bash

The output will display the current time with total system hours of awake, a total number of users, and the last load average.

  • USER:- Currently logged in username
  • TTY:- Show information about the terminal used to log on. In the above output, pts/1 mean pseudo terminal slave and sequence number.
  • FROM:- If you do login from a konsole, gnome-terminal, it will display :0. In the case of SSH connection, :0 will replace with the respective source IP address or hostname.
  • LOGIN@:- The Time when the user made a login
  • IDLE:- The Time between the last command fired
  • JCPU:- A CPU time used by individual login or tty.
  • PCPU:-The time consumed by the current process
  • WHAT:- The command line of the current user

You can also pass different arguments, which you can view from the manual by passing the following command:

$ man w

who command

I hope most of them know about whoami have you unknowingly typed who command into your Linux terminal? “No”. Fair enough.

who command do much more than just showing the username. A default output shows TTY namedate & time, source IP address, and it can be tweaked using flags or options.

When you pass who command directly to a terminal for the first time, it may take a couple of seconds to understand the output. To avoid that, I’ll use -H options.

$ who -H
NAME     LINE         TIME             COMMENT

trendoceans pts/1        2021-09-16 07:55 (:0)
sue      pts/3        2021-09-16 09:35 (
bob      tty3         2021-09-16 09:37

This was quite simple. Huh, I thought who command will do much more than w command.

Wait wait. The above output is the shorter version of who for more details, you need to pass options that will show you the last boot, PID, idle, login, and many other pieces of information.

To get everything once use -a or –all along with H for heading:

$ who -aH
NAME       LINE         TIME             IDLE          PID COMMENT  EXIT

           system boot  2021-09-15 15:47
           run-level 5  2021-09-15 10:17
trendoceans + tty7         2021-09-15 10:18  old        18024 (:0)
trendoceans + pts/0        2021-09-15 10:18  old        18297 (:0)
trendoceans - pts/1        2021-09-16 07:55   .         42593 (:0)
           pts/2        2021-09-16 11:21             46368 id=ts/2  term=0 exit=0
           pts/3        2021-09-16 11:51             47248 id=ts/3  term=0 exit=0
bob      - tty3         2021-09-16 09:37 03:48       47473
LOGIN      tty2         2021-09-16 09:37             47560 id=tty2
LOGIN      tty4         2021-09-16 09:37             47561 id=tty4
LOGIN      tty5         2021-09-16 09:37             47562 id=tty5
LOGIN      tty6         2021-09-16 09:37             47563 id=tty6

We can also view the current run-level, system boot, and PID with exit code. For more options or flags, use the man command

$ man who

users command

You don’t care about extra details, then the users command is best. It will print all currently logged users on a system, to see type the simple command:

bob trendoceans trendoceans tim sue

I think users command is best when you don’t want anything extra.

last command

The above options are worth trying. Can we have something through which we can know when the X or Y user-made login and logged out? Yes, we can track that too.

The last command can list out all the login details about a specific user or combine at once, and of course, you can filter out using the last or grep command.

To see combine results pass the following command:

$ last | less
bob      tty3                          Thu Sep 16 09:37   still logged in
sue      pts/3    Thu Sep 16 09:37 - 11:51  (02:15)
tim      pts/3    Thu Sep 16 09:34 - 09:35  (00:00)
bob      pts/2    Thu Sep 16 08:49 - 11:21  (02:32)
trendoce pts/3        :0               Thu Sep 16 08:48 - 08:48  (00:00)
trendoce pts/2    Thu Sep 16 08:02 - 08:48  (00:46)
trendoce pts/1        :0               Thu Sep 16 07:55   still logged in
trendoce pts/1        :0               Wed Sep 15 10:19 - 10:19  (00:00)
trendoce pts/0        :0               Wed Sep 15 10:18   still logged in
trendoce tty7         :0               Wed Sep 15 10:18   still logged in
reboot   system boot  5.10.0-8-amd64   Wed Sep 15 15:47   still running
trendoce pts/0        :0               Tue Sep 14 22:57 - crash  (16:50)

The output consists of a usernameterminal typesource IP address in case of SSHdate & time stampstatus, and duration.

I’ll explain output with a basic example, user bob logged in to his system using tty3 on Sep 16 time around 09:37, and status is still it depicts user is working.

Once bob finished his work, he closed his system, and status changed with logout time and duration of logging in.

bob      tty3                          Thu Sep 16 09:37 - 14:43  (05:06)

The last command also supports various options. Please go through with a manual once.

Wrapping up

That’s all to check who has logged into my Linux system. The output receives on STDIN comes from var/log/wtmp, /var/log/btmp, /var/run/utmp

I have covered the necessary options. If you want to learn more about a specific command, please use the manual.

Read this to:- 30 Basic commands which every Linux user should know

If you want to share something that would help others, please share it in a comment section.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments