A few Linux commands offer different ways to see which users are logging into your Linux servers, how often they log in, and how long they’ve been active or idle.
If you want to get a report to see who is logging into your Linux server and how often, the commands described in this post might just make your day. Linux logins are recorded in a log file, and extracting the records is surprisingly easy – especially when you a have a couple commands on hand and are ready to sort the data on various fields.
First, you don’t need to be root to get data. It’s saved in the wtmp file that stores login data, and everyone can read that file. Here’s an example of a command to display the file permissions. Note that everyone has read permission, but only root and members of the privileged group can write to it:
$ ls -l /var/log/wtmp -rw-rw-r--. 1 root utmp 3768 Apr 2 16:25 /var/log/wtmp
To examine what’s in the file, you would use the who command (e.g., who /var/log/wtmp). The only problem is that, on a busy server, you’ll easily see hundreds of lines of output. Here’s a handful that are displayed when the output of the who command is passed to the head command:
$ who /var/log/wtmp | head 11 alex tty3 2024-04-01 08.11 (192.168.0.8) shs pts/3 2024-04-01 10:24 (192.168.0.11) shs pts/3 2024-04-02 08:24 (192.168.0.11) alex tty3 2024-04-02 08.11 (192.168.0.8) shs pts/3 2024-04-03 09:05 (192.168.0.11) shs pts/3 2024-04-04 07:15 (192.168.0.11) alex tty3 2024-04-04 08.11 (192.168.0.8) shs pts/3 2024-04-05 10:11 (192.168.0.11) fedora seat0 2024-04-05 11:02 (login screen) fedora tty2 2024-04-05 11:02 (tty2) shs pts/3 2024-04-05 16:24 (192.168.0.11)
You can count the number of entries by piping the output of the who command to the wc -l command (e.g., who /var/log/wtmp | wc -l). On the other hand, to get a view of who’s logging in and how frequently, a command like this will provide more useful information as it provides per-user login counts:
$ who /var/log/wtmp | sort | awk '{print $1}' | uniq -c 23 alex 12 fedora 96 shs
This command above sorts the lines in the file, limits the output to the first field (the username), and then counts the lines for each individual user. You can easily create an alias that provides counts like these:
$ alias showLogins=”who /var/log/wtmp | sort | awk '{print $1}' | uniq -c”
While the command doesn’t show you how long each user was logged in, it gives you an idea about how much users are using the system.
To see how long currently logged in users have been logged in, you can use the last command.
$ last shs shs pts/3 192.168.0.11 Tue Apr 5 08:24 still logged in
The w command will show you when current users logged in and how long they’ve been idle.
$ w 17:03:53 up 6:02, 3 users, load average: 0.24, 0.23, 0.20 USER TTY LOGIN@ IDLE JCPU PCPU WHAT fedora seat0 11:02 0.00s 0.00s 0.00s /usr/libexec/gdm-wayland-session /usr/bin/gnome-session fedora tty2 11:02 6:02m 0.06s 0.06s /usr/libexec/gnome-session-binary shs pts/3 16:24 0.00s 0.13s 0.02s w
The load averages shown on the first line of output above are measurements of the computational work the system is performing. Ideally, these should all be less than the number of CPUs on the system. Higher numbers represent a problem or an overloaded machine.
The ac -p command can show how long users have been logged in as a number of hours.
$ ac -p lola 5.43 shs 9.88 total 15.31
If you manage Linux servers, it’s a good idea to understand how much they’re being used and which users are making the heaviest use of them. Your busiest servers may require more monitoring and more communication with your user base.