A Linux system admin should keep an eye on who is currently logged into the Linux system and what are they up to. We already knew how to find the last logged in users in Linux. How would you identify who is logged on your Linux system at the moment and what they are doing? Easy! This tutorial lists various methods to find currently logged in users in Linux.
Table of Contents
1. Find currently logged in users in Linux using w
command
In Linux operating systems, there is special, single letter command called w
that helps you to find who is logged on and what they are doing in the system. This is the most commonly used command line tool to display the information about the users currently on the server, and their processes.
The w
command is often useful when you are administering a Linux server that is frequently being accessed by many users. You can track all of them without having to install any additional tools or applications.
The w
command shows various useful details including the following:
- the current time,
- how long the system has been running,
- how many users are currently logged on,
- and the system load averages for the past 1, 5, and 15 minutes.
The w
command fetches information about who is currently logged on from the /var/run/utmp
file and retrieves the process information from the /proc
file.
Now let us see how to use w
command to display who is logged in on your Linux machine and what they are doing.
The typical usage of w
command is:
$ w [options] user
When you run w command without any options, it will display all currently logged in users in your Linux system:
$ w
Sample output:
08:42:30 up 28 min, 2 users, load average: 1.30, 0.87, 0.45 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT sk tty1 - 08:41 42.00s 0.10s 0.06s -bash ostechni pts/1 192.168.225.37 08:42 6.00s 0.09s 0.01s w
As you can see in the above output, currently there are two users (sk and ostechni) logged into my Ubuntu server. The w
command displays the following details for the individual users:
- login name,
- the tty name,
- source IP address from which the user logged in,
- login time,
- idle time,
- JCPU time (the time used by all processes attached to the tty),
- PCPU time (the time used by the current process),
- and the command line of their current process.
If you want to display the details of a specific logged in user (E.g. ostechnix), the command would be:
$ w ostechnix 08:51:36 up 37 min, 2 users, load average: 1.12, 1.06, 0.76 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ostechni pts/1 192.168.225.37 08:42 0.00s 0.09s 0.01s w ostech
You can omit the header from the output using -h
option:
$ w -h sk tty1 - 08:41 16:13 0.10s 0.06s -bash ostechni pts/1 192.168.225.37 08:42 1.00s 0.09s 0.01s w -h
You can also display IP address instead of hostname for "FROM"
(remote hostname) field using -i
option:
$ w -i
You may not want to print all the details. If so, you can exclude the login time, JCPU or PCPU times using -s
(--short
) option:
$ w -s 09:02:50 up 48 min, 2 users, load average: 0.31, 0.79, 0.84 USER TTY FROM IDLE WHAT sk tty1 - 21:02 -bash ostechni pts/1 192.168.225.37 1.00s w -s
For more details, check man pages:
$ man w
Or, refer help section:
$ w --help Usage: w [options] Options: -h, --no-header do not print header -u, --no-current ignore current process username -s, --short short format -f, --from show remote hostname field -o, --old-style old style output -i, --ip-addr display IP address instead of hostname (if possible) --help display this help and exit -V, --version output version information and exit For more details see w(1).
2. Display all logged in users using who
command
The who
command is yet another command line tool to display information about users who are currently logged in a Linux machine.
If you run who
command without any options, it will display all logged in users:
$ who
Sample output:
sk tty1 2021-01-12 08:41 ostechnix pts/1 2021-01-12 08:42 (192.168.225.37)
As you see in the above output, who
command shows the username, type of the terminal device (E.g. tty
or pts
) on which the session took place, boot time and the source IP address from which the user logged in.
You can filter details for a specific user with grep
command:
$ who | grep ostechnix ostechnix pts/1 2021-01-12 08:42 (192.168.225.37)
The above command will find if the given user ostechnix is logged in or not.
If you want to display information only for the current terminal session, run:
$ who am i ostechnix pts/1 2021-01-12 08:42 (192.168.225.37)
Please note the spaces between the words. If you execute the above command without any spaces, it will only display the username:
$ whoami ostechnix
The who
command has few other options to get customised output.
For example, you can display all available information of current logins using -a
flag:
$ who -a
Sample output:
system boot 2021-01-12 08:14 sk - tty1 2021-01-12 08:41 00:59 1463 run-level 5 2021-01-12 08:15 ostechnix + pts/1 2021-01-12 08:42 . 1477 (192.168.225.37) LOGIN tty6 2021-01-12 08:41 1366 id=tty6
To display all available information with column headers, use -H
flag:
$ who -a -H NAME LINE TIME IDLE PID COMMENT EXIT system boot 2021-01-12 08:14 sk - tty1 2021-01-12 08:41 00:59 1463 run-level 5 2021-01-12 08:15 ostechnix + pts/1 2021-01-12 08:42 . 1477 (192.168.225.37) LOGIN tty6 2021-01-12 08:41 1366 id=tty6
For more details, refer the man pages and help section of who command using any one of the following commands:
$ man who
$ who --help
3. Print logged in users with users
command
The users
command prints the user names of users currently logged in to the current host system.
To display a list of all logged in users in a Linux machine, run:
$ users ostechnix sk
To get help, run any one of the following commands:
$ man users
$ users --help
4. View logged in users with last
command
The last
command usually displays all the users that have ever logged in and out of a Linux machine since the /var/log/wtmp
file was created.
$ last
The list of currently logged in users are shown at the top.
ostechni pts/1 192.168.225.37 Tue Jan 12 08:42 still logged in sk tty1 Tue Jan 12 08:41 still logged in ostechni tty1 Tue Jan 12 08:41 - 08:41 (00:00) sk pts/1 192.168.225.37 Tue Jan 12 08:41 - 08:41 (00:00) [...]
For help, see man pages or use --help
option:
$ man last
$ last --help
5. Find who is logged in a Linux system using id command
The id
command is used to print user and group information for the specified USER, or for the current user when USER is omitted.
To print the currently logged in user in the current session, run id
command with -un
options:
$ id -un ostechnix
This is same as the whoami
command.
To get help, do:
$ man id
$ id --help
All of the aforementioned tools are available by default in most Linux distributions. There is one more command line tool available to find who is logged in a Linux system. It is not installed by default, but available in the default repositories of most Linux distributions.
6. List logged in users with finger command
Finger is a command line user information lookup utility. It displays the user's login name, real name, terminal name and write status, idle time, login time, office location and office phone number etc.
The finger program is not installed by default in some Linux distributions. You can install finger in Debian, Ubuntu systems using apt package manager like below:
$ sudo apt install finger
Once installed, run finger command to find logged in users in your Linux system:
$ finger
Sample output:
Login Name Tty Idle Login Time Office Office Phone ostechnix ostechnix pts/1 Jan 12 08:42 (192.168.225.37) sk *tty1 3:17 Jan 12 08:41
Display information about a specific user:
$ finger ostechnix
Sample output:
Login: ostechnix Name: ostechnix Directory: /home/ostechnix Shell: /bin/bash On since Tue Jan 12 08:42 (UTC) on pts/1 from 192.168.225.37 2 seconds idle No mail. No Plan.
These are a few methods to find the currently logged in users in a Linux system. Knowing who is logged in and finding what they are doing in your system can be helpful at troubleshooting times. I hope one of the aforementioned methods will help you out.
Related read:
2 comments
So… what does “logged in” mean? The utmp/wtmp databases used by “who” and “last” are databases where “something” had to write a record. In other words, there are ways to run even interactive programs on a remote machine and never show up in utmp/wtmp records. Here’s a simple case that works most of the time: ssh some-host bash -i . That will create an “interactive” shell session, but won’t write anything to utmp. Also, you won’t have a tty in that example. but still, it is interactive and you can do stuff. That is, you have a shell on the remote host without a record of being “logged in”. This is just one of a plethora of ways to do this btw. Just pointing out that there is a difference between being “logged in” using the normal ways someone might be on a system, and they ways that somebody that isn’t interested in being normal might get onto a system. I say this mainly for people believing they are protected by monitoring behaviors through things like utmp/wtmp. You might not be as safe as you think and you might want to reconsider what you’re looking for.
Thanks for the clarification. I really appreciate it.