sandra_henrystocker
Unix Dweeb

Who’s logging into your Linux servers?

How-To
15 Apr 20244 mins
Linux

A few Linux commands offer different ways to see which users are logging into your Linux servers, how often they log in, and how long they’ve been active or idle.

Female Junior Software Engineer Writes Code on Desktop Computer With Two Monitors and Laptop Aside In Stylish Office. Caucasian Woman Working On Artificial Intelligence Service For Big Tech Company.
Credit: Gorodenkoff / Shutterstock

If you want to get a report to see who is logging into your Linux server and how often, the commands described in this post might just make your day. Linux logins are recorded in a log file, and extracting the records is surprisingly easy – especially when you a have a couple commands on hand and are ready to sort the data on various fields.

First, you don’t need to be root to get data. It’s saved in the wtmp file that stores login data, and everyone can read that file. Here’s an example of a command to display the file permissions. Note that everyone has read permission, but only root and members of the privileged group can write to it:

$ ls -l /var/log/wtmp
-rw-rw-r--. 1 root utmp 3768 Apr  2 16:25 /var/log/wtmp

To examine what’s in the file, you would use the who command (e.g., who /var/log/wtmp). The only problem is that, on a busy server, you’ll easily see hundreds of lines of output. Here’s a handful that are displayed when the output of the who command is passed to the head command:

$ who /var/log/wtmp | head 11
alex     tty3         2024-04-01 08.11 (192.168.0.8)
shs      pts/3        2024-04-01 10:24 (192.168.0.11)
shs      pts/3        2024-04-02 08:24 (192.168.0.11)
alex     tty3         2024-04-02 08.11 (192.168.0.8)
shs      pts/3        2024-04-03 09:05 (192.168.0.11)
shs      pts/3        2024-04-04 07:15 (192.168.0.11)
alex     tty3         2024-04-04 08.11 (192.168.0.8)
shs      pts/3        2024-04-05 10:11 (192.168.0.11)
fedora   seat0        2024-04-05 11:02 (login screen)
fedora   tty2         2024-04-05 11:02 (tty2)
shs      pts/3        2024-04-05 16:24 (192.168.0.11)

You can count the number of entries by piping the output of the who command to the wc -l command (e.g., who /var/log/wtmp | wc -l). On the other hand, to get a view of who’s logging in and how frequently, a command like this will provide more useful information as it provides per-user login counts:

$ who /var/log/wtmp | sort | awk '{print $1}' | uniq -c
      23 alex
      12 fedora
      96 shs

This command above sorts the lines in the file, limits the output to the first field (the username), and then counts the lines for each individual user. You can easily create an alias that provides counts like these:

$ alias showLogins=”who /var/log/wtmp | sort | awk '{print $1}' | uniq -c”

While the command doesn’t show you how long each user was logged in, it gives you an idea about how much users are using the system.

To see how long currently logged in users have been logged in, you can use the last command.

$ last shs
shs      pts/3        192.168.0.11     Tue Apr  5 08:24   still logged in

The w command will show you when current users logged in and how long they’ve been idle.

$ w
 17:03:53 up  6:02,  3 users,  load average: 0.24, 0.23, 0.20
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
fedora   seat0     11:02    0.00s  0.00s  0.00s /usr/libexec/gdm-wayland-session /usr/bin/gnome-session
fedora   tty2      11:02    6:02m  0.06s  0.06s /usr/libexec/gnome-session-binary
shs      pts/3     16:24    0.00s  0.13s  0.02s w

The load averages shown on the first line of output above are measurements of the computational work the system is performing. Ideally, these should all be less than the number of CPUs on the system. Higher numbers represent a problem or an overloaded machine.

The ac -p command can show how long users have been logged in as a number of hours.

$ ac -p
        lola                                 5.43
        shs                                  9.88
        total        15.31

If you manage Linux servers, it’s a good idea to understand how much they’re being used and which users are making the heaviest use of them. Your busiest servers may require more monitoring and more communication with your user base.

sandra_henrystocker

Sandra Henry-Stocker has been administering Unix systems for more than 30 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She lives in the mountains in Virginia where, when not working with or writing about Unix, she's chasing the bears away from her bird feeders.

The opinions expressed in this blog are those of Sandra Henry-Stocker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author

Exit mobile version