- 6 Ways to check logged in users in Linux
- check logged in users with w command in Linux
- check logged in users with Who command in Linux
- check logged in users with whoami command in Linux
- check logged in users with id command in Linux
- check logged in users with last command in Linux
- check logged in users from log file in Linux
- 6 commands to list the logged in users in Linux
- Method 3
- Method 4
- Method 5
- Method 6
6 Ways to check logged in users in Linux
Linux is a multi-user system. It is always important to know who has logged into your Linux box. This isn’t just to help track the activities of malicious users, but mostly to figure out who made the mistake that crashed the system.
We collect 6 Linux commands for this task.
The following Linux commands can be used to check logged-in users.
- w This command shows who’s logged in and what they are doing.
- who The who command in Linux displays a list of all the users who are currently logged in to the system.
- whoami The whoami command displays the username of the current user.
- id The id command Print user and group information for the logged user
- last The last command shows the list of the last logged in users
- tail -f /var/log/secure
check logged in users with w command in Linux
The best Linux command to check the logged-in users is using w command. All we need is to open the terminal then type w in the prompt. This command shows who’s logged in and what they are doing.
It displays information about current users on the machine by reading the file /var/run/utmp, and their processes from /proc.
The procedure to check logged-in users in Linux is as follows:
- Open the terminal application.
- Type w to check the user
- Press Enter to run the command.
- The output will display the users that are currently logged in. This includes their username, where they are logged in from, and what they are currently doing
Here’s an example output of the w command:
10:15:21 up 1 day, 2:30, 3 users, load average: 0.12, 0.10, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user1 tty1 — 10:15 0.00s 0.01s 0.00s w
user2 pts/0 192.168.1.100 09:45 1:30 0.20s 0.05s sshd: user2@pts/0
user3 pts/1 192.168.1.101 08:30 2.50s 0.50s 0.10s top
The first line provides system-related information, including the current time, uptime, number of logged-in users, and the system load average.
The subsequent lines display the information for each logged-in user. It includes the username, terminal, remote host (if applicable), login time, idle time, JCPU (total CPU time for all processes), PCPU (CPU time for the current process), and the command or process associated with the session.
There are 3 users in this system. Each line corresponds to a user session and provides various details about the session.
Username | user1 |
Terminal | tty1 |
Remote Host | – |
Login Time | 10:15 |
Idle Time | 0.00s |
JCPU | 0.01s |
PCPU | 0.00s |
Command | w |
check logged in users with Who command in Linux
who – The who command prints information about all users who are currently logged in. It reads from a default file location (usually /var/run/utmp).
$ who
ocp pts/0 Jan 26 12:05 (64.104.125.239)
The who command in Linux is used to display information about the currently logged-in users on the system.
When you run the who command without any options, it will display a list of logged-in users with the following details:
1. Username: The username of the logged-in user.
2. Terminal: The name of the terminal or device where the user is logged in. It can be a physical terminal or a remote session.
3. Date and time: The login date and time when the user session was initiated.
Here’s an example output of the `who` command:
user1 tty1 2023-06-25 10:15
user2 pts/0 2023-06-25 09:45 (:0)
user3 pts/1 2023-06-25 08:30 (:1)
In the example above, there are three logged-in users:
1. user1 is logged in on tty1 (a physical terminal) and logged in at 10:15.
2. user2 is logged in on pts/0, which indicates a pseudo-terminal or a remote session. The session is associated with display `:0` (X display).
3. user3 is logged in on pts/1 and associated with display `:1`.
The `who` command provides a quick overview of the currently active user sessions on the system.
check logged in users with whoami command in Linux
whoami – The whoami command shows you which user account you’re logged in to from a terminal window.
$ whoami
ocp
The whoami command in Linux is used to display the username of the current user who is executing the command. When you run the whoami command, it simply returns the username associated with the current user session.
In the example above, the whoami command returns user1, indicating that the current user executing the command is logged in as user1.
The whoami command is useful in scripts or command-line operations where you need to know the username of the current user without explicitly specifying it. It provides a convenient way to retrieve the current user’s identity within a shell session.
check logged in users with id command in Linux
id – The id command Print user and group information for the specified username
$ id
uid=50291(ocp) gid=50291(ocp) groups=50291(ocp) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The id command in Linux is used to display information about the current user or a specified user. When you run the id command without any options, it provides the following information about the current user:
- User ID (UID): The numerical identification assigned to the user by the system.
- Group ID (GID): The numerical identification assigned to the user’s primary group.
- User and Group Names: The names of the user and primary group.
- Supplementary Group IDs: The numerical identification of any additional groups that the user belongs to.
Here’s an example output of the id command for the current user:
$ id
uid=1000(username) gid=1000(groupname) groups=1000(groupname),10(wheel)
The id command also allows you to specify a username as an argument to retrieve information about a specific user. For example:
$ id anotheruser
uid=2000(anotheruser) gid=2000(anothergroup) groups=2000(anothergroup),3000(somegroup)
In the example above, the id anotheruser command displays information about the user anotheruser, including their UID, GID, user and group names, and supplementary group IDs.
The id command is useful for obtaining detailed information about user and group identities, which can be beneficial for system administration, access control, and verifying user permissions and group memberships.
check logged in users with last command in Linux
last – The last command shows list of last logged in users by searching the data from /var/log/wtmp file. Also it shows system reboot information.
$ sudo last
ocp pts/0 64.104.125.239 Wed Jan 26 12:05 still logged in
ocp pts/0 64.104.125.239 Wed Jan 26 08:59 – 09:09 (00:10)
The `last` command in Linux is used to display a list of recently logged-in users and their corresponding login history. When you run the `last` command without any options, it provides a chronological list of the most recent user logins, including the following information:
- Username: The username of the logged-in user.
- Terminal: The name of the terminal or device where the user logged in. It can be a physical terminal or a remote session.
- Remote Host: The IP address or hostname of the remote machine from which the user connected (if applicable).
- Login Time: The date and time when the user session was initiated.
- Logout Time: The date and time when the user session ended (if the user has logged out).
- Duration: The duration of the user’s session.
Here’s an example output of the `last` command:
user1 tty1 Thu Jun 24 09:30 still logged in
user2 pts/0 Wed Jun 23 17:45 still logged in (192.168.1.100)
user3 pts/1 Wed Jun 23 15:20 Thu Jun 24 09:00 (192.168.1.101)
`user1` is currently logged in on `tty1` (a physical terminal) since Thu Jun 24 09:30 and is still logged in.
`user2` is logged in on `pts/0` (a pseudo-terminal or remote session) since Wed Jun 23 17:45 and is still logged in. The session is associated with the remote host `192.168.1.100`.
`user3` logged in on `pts/1` since Wed Jun 23 15:20 and logged out on Thu Jun 24 09:00. The session was associated with the remote host `192.168.1.101`.
The `last` command is helpful for monitoring user logins, identifying active sessions, and checking the duration of user sessions. It can be used to track user activity, troubleshoot login issues, or investigate security incidents by examining login history.
check logged in users from log file in Linux
tail -f /var/log/secure – It is mainly used to track the usage of authorization systems.It stores all security related messages including authentication failures.It also tracks sudo logins, SSH logins and other errors logged by system security services daemon.
Jan 26 12:08:06 ip-172-31-37-167 sudo[31036]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 26 12:08:06 ip-172-31-37-167 sudo[31036]: pam_unix(sudo:session): session opened for user root by ocp(uid=0)
The command tail -f /var/log/secure is used to monitor the /var/log/secure file in real-time.
Here’s a breakdown of the command:
- tail: It is a command-line utility in Linux used to display the end (tail) of a file.
- -f: It is an option for the tail command that stands for “follow.” When used with the -f option, tail will continuously monitor the file and display new lines as they are appended to the file.
- /var/log/secure: It is the path to the log file being monitored. In this case, it refers to the /var/log/secure file, which is commonly used to store security-related logs on Linux systems, including authentication attempts, successful logins, and other security events.
David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.
howtouselinux.com is dedicated to providing comprehensive information on using Linux.
We hope you find our site helpful and informative.
6 commands to list the logged in users in Linux
last: This command searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty’s can be given, in which case last will show only those entries matching the arguments.
# last -a
deepak pts/3 Tue Oct 16 18:01 — 18:01 (00:00) 10.10.10.30
root pts/2 Tue Oct 16 17:51 still logged in 10.10.10.30
root pts/1 Tue Oct 16 14:29 — 18:03 (03:34) 10.10.10.30
root pts/3 Tue Oct 16 11:10 — 13:11 (02:00) 10.10.10.30
root pts/1 Mon Oct 15 20:30 — 13:21 (16:51) 10.10.10.30
root pts/3 Mon Oct 15 18:02 — 18:37 (00:34) 10.10.10.30
root pts/1 Mon Oct 15 15:23 — 18:34 (03:11) 10.10.10.30
root pts/1 Mon Oct 15 10:45 — 15:22 (04:36) 10.10.10.30
root pts/2 Fri Oct 12 18:34 — 15:53 (3+21:19) :2.0
root pts/1 Fri Oct 12 18:07 — 19:34 (01:27) 10.10.10.30
root pts/0 Fri Oct 12 17:57 still logged in :0.0
root tty1 Fri Oct 12 17:56 still logged in :0
reboot system boot Fri Oct 12 17:44 — 18:03 (4+00:19) 2.6.32-220.el6.i686
Method 3
# less /var/log/secure
Oct 16 18:01:12 localhost unix_chkpwd[3503]: password check failed for user (deepak)
Oct 16 18:01:14 localhost sshd[3501]: Failed password for deepak from 10.10.10.30 port 2326 ssh2
Oct 16 18:01:21 localhost passwd: pam_unix(passwd:chauthtok): password changed for deepak
Oct 16 18:01:21 localhost passwd: gkr-pam: couldn’t update the ‘login’ keyring password: no old password was entered
Oct 16 18:01:24 localhost sshd[3501]: Accepted password for deepak from 10.10.10.30 port 2326 ssh2
Oct 16 18:01:24 localhost sshd[3501]: pam_unix(sshd:session): session opened for user deepak by (uid=0)
Oct 16 18:01:31 localhost sshd[3501]: pam_unix(sshd:session): session closed for user deepak
Method 4
finger: If no arguments are specified, finger will print an entry for each user currently logged into the system.
# finger
Login Name Tty Idle Login Time Office Office Phone
deepak pts/3 Oct 16 18:01 (10.10.10.30)
root root tty1 4d Oct 12 17:56 (:0)
root root pts/0 6:51 Oct 12 17:57 (:0.0)
root root pts/1 2:08 Oct 16 14:29 (10.10.10.30)
root root pts/2 Oct 16 17:51 (10.10.10.30)
Method 5
who: This command shows currently logged in users with time details
# who -u
root tty1 2012-10-12 17:56 old 1960 (:0)
root pts/0 2012-10-12 17:57 06:51 2376 (:0.0)
root pts/1 2012-10-16 14:29 02:09 3094 (10.10.10.30)
root pts/2 2012-10-16 17:51 . 3454 (10.10.10.30)