This post examines a number of commands that can help you view and understand user logins and the time users spend on your Linux servers.
The who command
The who command is a basic command that will show you who is logged into your server now. But that’s not all. You will also see when they logged in and where they have logged in from (i.e., the IP address). This example shows two users are logged in from different systems.
$ who fedora seat0 2024-09-13 15:18 (login screen) fedora tty2 2024-09-13 15:18 (tty2) shs pts/1 2024-09-13 15:23 (192.168.0.7) nemo pts/2 2024-09-13 11:11 (192.168.0.11)
The last command
The last command allows you to look further back into time to see both current and older logins, beginning with the most recent and moving back into previous logins.
$ last | head -6 shs pts/1 192.168.0.7 Fri Sep 13 15:23 still logged in fedora tty2 tty2 Fri Sep 13 15:18 still logged in fedora seat0 login screen Fri Sep 13 15:18 still logged in shs pts/1 192.168.0.11 Tue Sep 10 11:51 - 12:26 (00:35) nemo pts/2 192.168.0.11 Fri Sep 13 11:11 still logged in
The command below squeezes the white space into single blank characters.
$ last | head -7 | tr -s " " shs pts/1 192.168.0.7 Fri Sep 13 15:23 still logged in fedora tty2 tty2 Fri Sep 13 15:18 still logged in fedora seat0 login screen Fri Sep 13 15:18 still logged in shs pts/1 192.168.0.11 Tue Sep 10 11:51 - 12:26 (00:35) nemo pts/2 192.168.0.11 Fri Sep 13 11:11 still logged in
Checking the wtmp file
To count logins, you could use a command like the one below that will provide login counts recorded in the current /var/log/wtmp file where logins are recorded. Keep in mind that this is a binary file, so you can’t read its content with grep, more or cat commands.
The command below reports on regular (not system) users – individuals with home directories in /home – and counts their logins.
$ for user in `ls /home` > do > echo -n "$user: " > who /var/log/wtmp | grep "^$user " | wc -l > done brie: 0 dumdum: 0 fedora: 124 george: 1 justme: 0 lola: 19 newuser: 0 shs: 90
To get an idea how old the wtmp file is, you can run a command like this one that displays the first (and, thus, oldest) line in the file.
$ who /var/log/wtmp | head -1 shs pts/3 2024-04-02 16:24 (192.168.0.11)
You will also see the start date of the wtmp file when you run a command like this one where that information is tacked on at the end of the output.
$ last george george pts/2 192.168.0.8 Tue Jul 30 15:32 - 15:32 (00:00) wtmp begins Tue Apr 2 16:24:11 2024
The ac command
The ac command reports on user connect time, and it has a number of other useful options as well.
Use the -d option to view daily login totals as in this example:
$ ac -d | tail -5 Aug 27 total 222.68 Sep 7 total 4.60 Sep 10 total 1.85 Sep 13 total 18.43 Today total 26.73
For user totals, use the -p option:
$ ac -p lola 5.07 george 0.01 fedora 915.42 shs 124.67 total 1045.17
The lslogins command
The lslogins command will display data on system and user accounts. Since most system accounts never log in, you will see a lot of lines without data in the LAST-LOGIN column.
$ lslogins | head -5 UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS 0 root 147 Aug27/13:11 Super User 1 bin 0 bin 2 daemon 0 daemon 3 adm 0 adm
To display user logins without all the system accounts, use a command with the -u option:
$ lslogins -u UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS 0 root 145 Aug27/13:11 Super User 1000 fedora 75 Sep13/15:18 fedora 1001 shs 5 12:24 1002 newuser 0 1003 george 0 Jul30/15:32 1004 justme 0 Feb10/12:36 JustMe 1006 lola 0 Jul22/12:30 1007 dumdum 0
You can get quite a lot of information on a single user with a command like that shown below. In this case, the lslogins command is consulting additional files (like the /etc/passwd file) to gather additional information on the user such as the user’s shell and UID.
$ lslogins shs Username: shs UID: 1001 Gecos field: Home directory: /home/shs Shell: /bin/bash No login: no Primary group: shs GID: 1001 Supplementary groups: wheel Supplementary group IDs: 10 Last login: 12:24 Last terminal: pts/1 Last hostname: 192.168.0.7 Hushed: no Running processes: 5 Last logs: 12:29 systemd[52919]: Created slice background.slice - User Background Tasks Slice. 12:29 systemd[52919]: Starting systemd-tmpfiles-clean.service - Cleanup of User's Temporary Files and Directories... 12:29 systemd[52919]: Finished systemd-tmpfiles-clean.service - Cleanup of User's Temporary Files and Directories.
Unless dates are included (e.g., Sep11/12:13), the date is the current date.
The lastlog command
The lastlog command reports the most recent login of all users or for a particular user.
fedora tty2 Fri Sep 13 15:18:43 -0400 2024 shs pts/1 192.168.0.7 Fri Sep 13 15:23:13 -0400 2024 newuser **Never logged in** george pts/2 192.168.0.8 Tue Jul 30 15:32:22 -0400 2024 justme tty2 Sat Feb 10 12:36:19 -0500 2024 lola pts/2 192.168.0.6 Mon Jul 22 12:30:03 -0400 2024 $ lastlog -u george Username Port From Latest george pts/2 192.168.0.8 Tue Jul 30 15:32:22 -0400 2024
Recent commands
To see recent commands that a user has run, you need to have superuser access and take a look at their command history file. For bash users, this will be .bash_history.
# tail ~george/.bash_history pwd touch this ls -l this rm badfile
Wrap-up
Linux systems provide many ways to view user activity – when they login, how long they stay logged in and even what commands they run.
Source:: Network World