Tracking user logins on Linux

This post examines a number of commands that can help you view and understand user logins and the time users spend on your Linux servers.

The who command

The who command is a basic command that will show you who is logged into your server now. But that’s not all. You will also see when they logged in and where they have logged in from (i.e., the IP address). This example shows two users are logged in from different systems.

$ who
fedora   seat0        2024-09-13 15:18 (login screen)
fedora   tty2         2024-09-13 15:18 (tty2)
shs      pts/1        2024-09-13 15:23 (192.168.0.7)
nemo     pts/2        2024-09-13 11:11 (192.168.0.11)

The last command

The last command allows you to look further back into time to see both current and older logins, beginning with the most recent and moving back into previous logins.

$ last | head -6
shs      pts/1        192.168.0.7      Fri Sep 13 15:23   still logged in
fedora   tty2         tty2             Fri Sep 13 15:18   still logged in
fedora   seat0        login screen     Fri Sep 13 15:18   still logged in
shs      pts/1        192.168.0.11     Tue Sep 10 11:51 - 12:26  (00:35)
nemo     pts/2        192.168.0.11     Fri Sep 13 11:11   still logged in

The command below squeezes the white space into single blank characters.

$ last | head -7 | tr -s " "
shs pts/1 192.168.0.7 Fri Sep 13 15:23 still logged in
fedora tty2 tty2 Fri Sep 13 15:18 still logged in
fedora seat0 login screen Fri Sep 13 15:18 still logged in
shs pts/1 192.168.0.11 Tue Sep 10 11:51 - 12:26 (00:35)
nemo pts/2 192.168.0.11 Fri Sep 13 11:11 still logged in

Checking the wtmp file

To count logins, you could use a command like the one below that will provide login counts recorded in the current /var/log/wtmp file where logins are recorded. Keep in mind that this is a binary file, so you can’t read its content with grep, more or cat commands.

The command below reports on regular (not system) users – individuals with home directories in /home – and counts their logins.

$ for user in `ls /home`
> do
>   echo -n "$user: "
>   who /var/log/wtmp | grep "^$user " | wc -l
> done
brie: 0
dumdum: 0
fedora: 124
george: 1
justme: 0
lola: 19
newuser: 0
shs: 90

To get an idea how old the wtmp file is, you can run a command like this one that displays the first (and, thus, oldest) line in the file.

$ who /var/log/wtmp | head -1
shs      pts/3        2024-04-02 16:24 (192.168.0.11)

You will also see the start date of the wtmp file when you run a command like this one where that information is tacked on at the end of the output.

$ last george
george   pts/2        192.168.0.8      Tue Jul 30 15:32 - 15:32  (00:00)

wtmp begins Tue Apr  2 16:24:11 2024

The ac command

The ac command reports on user connect time, and it has a number of other useful options as well.

Use the -d option to view daily login totals as in this example:

$ ac -d | tail -5
Aug 27  total      222.68
Sep  7  total        4.60
Sep 10  total        1.85
Sep 13  total       18.43
Today   total       26.73

For user totals, use the -p option:

$ ac -p
        lola                                 5.07
        george                               0.01
        fedora                             915.42
        shs                                124.67
        total     1045.17

The lslogins command

The lslogins command will display data on system and user accounts. Since most system accounts never log in, you will see a lot of lines without data in the LAST-LOGIN column.

$ lslogins | head -5
  UID USER                PROC PWD-LOCK PWD-DENY  LAST-LOGIN GECOS
    0 root                 147                   Aug27/13:11 Super User
    1 bin                    0                               bin
    2 daemon                 0                               daemon
    3 adm                    0                               adm 

To display user logins without all the system accounts, use a command with the -u option:

$ lslogins -u
 UID USER    PROC PWD-LOCK PWD-DENY  LAST-LOGIN GECOS
   0 root     145                   Aug27/13:11 Super User
1000 fedora    75                   Sep13/15:18 fedora
1001 shs        5                         12:24
1002 newuser    0
1003 george     0                   Jul30/15:32
1004 justme     0                   Feb10/12:36 JustMe
1006 lola       0                   Jul22/12:30
1007 dumdum     0 

You can get quite a lot of information on a single user with a command like that shown below. In this case, the lslogins command is consulting additional files (like the /etc/passwd file) to gather additional information on the user such as the user’s shell and UID.

$ lslogins shs
Username:                           shs
UID:                                1001
Gecos field:
Home directory:                     /home/shs
Shell:                              /bin/bash
No login:                           no
Primary group:                      shs
GID:                                1001
Supplementary groups:               wheel
Supplementary group IDs:            10
Last login:                         12:24
Last terminal:                      pts/1
Last hostname:                      192.168.0.7
Hushed:                             no
Running processes:                  5

Last logs:
12:29 systemd[52919]: Created slice background.slice - User Background Tasks Slice.
12:29 systemd[52919]: Starting systemd-tmpfiles-clean.service - Cleanup of User's Temporary Files and Directories...
12:29 systemd[52919]: Finished systemd-tmpfiles-clean.service - Cleanup of User's Temporary Files and Directories.

Unless dates are included (e.g., Sep11/12:13), the date is the current date.

The lastlog command

The lastlog command reports the most recent login of all users or for a particular user.

fedora       tty2                         Fri Sep 13 15:18:43 -0400 2024
shs          pts/1    192.168.0.7         Fri Sep 13 15:23:13 -0400 2024
newuser                                   **Never logged in**
george       pts/2    192.168.0.8         Tue Jul 30 15:32:22 -0400 2024
justme       tty2                         Sat Feb 10 12:36:19 -0500 2024
lola         pts/2    192.168.0.6         Mon Jul 22 12:30:03 -0400 2024

$ lastlog -u george
Username         Port     From                                       Latest
george           pts/2    192.168.0.8                               Tue Jul 30 15:32:22 -0400 2024

Recent commands

To see recent commands that a user has run, you need to have superuser access and take a look at their command history file. For bash users, this will be .bash_history.

# tail ~george/.bash_history
pwd
touch this
ls -l this
rm badfile

Wrap-up

Linux systems provide many ways to view user activity – when they login, how long they stay logged in and even what commands they run.

Source:: Network World