In this post, we will see different ways to see what all users are logged into my Linux server.
Lets have a look at different commands to achieve this.
1. Using w command
[root@ngelinux001 ~]# w 14:54:26 up 100 days, 16:09, 3 users, load average: 4.95, 7.37, 8.85 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ngeuser pts/1 10.4.161.171 08:58 4:29m 0.06s 0.06s -bash http pts/2 10.4.161.171 08:59 5:55m 0.02s 0.02s -bash root pts/3 10.4.161.171 14:54 2.00s 0.10s 0.04s w
2. Using who command
[root@ngelinux001 ~]# whoami root [root@ngelinux001 ~]# who ngeuser pts/1 2021-12-27 08:58 (10.4.161.171) http pts/2 2021-12-27 08:59 (10.4.161.171) root pts/3 2021-12-27 14:54 (10.4.161.171) [root@ngelinux001 ~]# who -a system boot 2021-09-17 23:45 LOGIN tty1 2021-09-17 23:45 4248 id=tty1 run-level 3 2021-09-17 23:45 ngeuser + pts/1 2021-12-27 08:58 04:29 28569 (10.4.161.171) http + pts/2 2021-12-27 08:59 05:56 28677 (10.4.161.171) root + pts/3 2021-12-27 14:54 . 19298 (10.4.161.171) pts/4 2021-12-26 02:01 32344 id=ts/4 term=0 exit=0 pts/5 2021-12-26 02:01 32742 id=ts/5 term=0 exit=0 pts/6 2021-12-26 02:01 32994 id=ts/6 term=0 exit=0 pts/7 2021-12-26 02:01 33143 id=ts/7 term=0 exit=0 pts/8 2021-12-26 02:01 33461 id=ts/8 term=0 exit=0 pts/9 2021-12-26 02:01 33808 id=ts/9 term=0 exit=0 pts/10 2021-12-26 02:01 8406 id=s/10 term=0 exit=0 pts/11 2021-12-26 02:01 17458 id=s/11 term=0 exit=0 pts/12 2021-12-26 02:00 18020 id=s/12 term=0 exit=0 pts/13 2021-12-26 02:01 49436 id=s/13 term=0 exit=0 pts/14 2021-12-26 02:01 76209 id=s/14 term=0 exit=0 pts/15 2021-12-26 02:01 105254 id=s/15 term=0 exit=0 pts/16 2021-12-26 02:01 6584 id=s/16 term=0 exit=0 pts/17 2021-12-26 02:01 105409 id=s/17 term=0 exit=0 pts/18 2021-12-26 02:00 105665 id=s/18 term=0 exit=0 pts/19 2021-12-26 02:01 101155 id=s/19 term=0 exit=0 pts/20 2021-12-26 04:01 140868 id=s/20 term=0 exit=0 pts/21 2021-12-26 04:01 141019 id=s/21 term=0 exit=0 pts/22 2021-12-26 02:01 146819 id=s/22 term=0 exit=0 pts/23 2021-12-26 02:00 109861 id=s/23 term=0 exit=0 pts/24 2021-12-26 02:00 75835 id=s/24 term=0 exit=0 pts/25 2021-12-26 02:00 138491 id=s/25 term=0 exit=0 pts/26 2021-12-26 02:00 1780 id=s/26 term=0 exit=0 pts/27 2021-12-26 02:01 92342 id=s/27 term=0 exit=0 pts/28 2021-12-26 04:00 49392 id=s/28 term=0 exit=0 pts/29 2021-12-26 02:00 45819 id=s/29 term=0 exit=0 pts/30 2021-12-26 02:01 139098 id=s/30 term=0 exit=0 pts/31 2021-12-26 02:01 139198 id=s/31 term=0 exit=0 pts/32 2021-12-26 02:01 15046 id=s/32 term=0 exit=0 pts/33 2021-12-26 02:00 15975 id=s/33 term=0 exit=0 pts/34 2021-12-26 00:32 62867 id=s/34 term=0 exit=0 pts/35 2021-12-24 21:05 72574 id=s/35 term=0 exit=0 pts/36 2021-12-24 16:34 39107 id=s/36 term=0 exit=0 [root@ngelinux001 ~]#
3. Using “users” command
[root@ngelinux001 ~]# users ngeuser http root [root@ngelinux001 ~]# id -a root uid=0(root) gid=0(root) groups=0(root),3(sys)
4. Using last command
[root@ngelinux001 ~]# last root pts/3 10.4.161.171 Mon Dec 27 14:54 still logged in oracle pts/3 10.4.161.171 Mon Dec 27 11:39 - 11:56 (00:17) http pts/2 10.4.161.171 Mon Dec 27 08:59 still logged in ngeuser pts/1 10.4.161.171 Mon Dec 27 08:58 still logged in oracle pts/34 10.4.161.171 Sun Dec 26 00:22 - 00:32 (00:09) root pts/34 10.4.161.171 Fri Dec 24 15:09 - 15:12 (00:02) root pts/36 10.4.161.171 Fri Dec 24 13:07 - 16:34 (03:26) root pts/34 10.4.161.171 Fri Dec 24 12:40 - 15:01 (02:21) ngeuser pts/35 10.4.161.171 Fri Dec 24 09:28 - 21:05 (11:37) root pts/34 10.4.161.171 Fri Dec 24 08:41 - 10:18 (01:37) ngeuser pts/33 10.4.161.171 Fri Dec 24 07:15 - 02:00 (1+18:45) ngeuser pts/32 10.4.161.171 Fri Dec 24 07:15 - 02:01 (1+18:46) ngeuser pts/31 10.4.161.171 Fri Dec 24 06:59 - 02:01 (1+19:01) ngeuser pts/30 10.4.161.171 Fri Dec 24 06:59 - 02:01 (1+19:01) http pts/25 10.4.161.171 Fri Dec 24 06:58 - 02:00 (1+19:01) root pts/30 10.4.161.171 Thu Dec 23 16:03 - 20:18 (04:15) http pts/16 10.4.161.171 Thu Dec 23 09:46 - 02:01 (2+16:14)
5. Check out secure file.
[root@ngelinux001 ~]# tail -20 /var/log/secure Dec 27 14:56:01 ngelinux001 crond[21046]: pam_unix(crond:session): session opened for user root by (uid=0) Dec 27 14:56:01 ngelinux001 crond[21046]: pam_unix(crond:session): session opened for user root by (uid=0) Dec 27 14:56:01 ngelinux001 crond[21047]: pam_unix(crond:session): session opened for user root by (uid=0) Dec 27 14:56:01 ngelinux001 crond[21047]: pam_unix(crond:session): session opened for user root by (uid=0) Dec 27 14:56:01 ngelinux001 CROND[21046]: pam_unix(crond:session): session closed for user root Dec 27 14:56:01 ngelinux001 CROND[21046]: pam_unix(crond:session): session closed for user root Dec 27 14:56:11 ngelinux001 CROND[21047]: pam_unix(crond:session): session closed for user root Dec 27 14:56:11 ngelinux001 CROND[21047]: pam_unix(crond:session): session closed for user root Dec 27 14:57:01 ngelinux001 crond[21803]: pam_unix(crond:session): session opened for user metron by (uid=0) Dec 27 14:57:01 ngelinux001 crond[21803]: pam_unix(crond:session): session opened for user metron by (uid=0) Dec 27 14:57:01 ngelinux001 crond[21801]: pam_unix(crond:session): session opened for user root by (uid=0) Dec 27 14:57:01 ngelinux001 crond[21801]: pam_unix(crond:session): session opened for user root by (uid=0) Dec 27 14:57:01 ngelinux001 crond[21802]: pam_unix(crond:session): session opened for user root by (uid=0) Dec 27 14:57:01 ngelinux001 crond[21802]: pam_unix(crond:session): session opened for user root by (uid=0) Dec 27 14:57:01 ngelinux001 CROND[21803]: pam_unix(crond:session): session closed for user metron Dec 27 14:57:01 ngelinux001 CROND[21803]: pam_unix(crond:session): session closed for user metron Dec 27 14:57:01 ngelinux001 CROND[21801]: pam_unix(crond:session): session closed for user root Dec 27 14:57:01 ngelinux001 CROND[21801]: pam_unix(crond:session): session closed for user root Dec 27 14:57:23 ngelinux001 CROND[21802]: pam_unix(crond:session): session closed for user root Dec 27 14:57:23 ngelinux001 CROND[21802]: pam_unix(crond:session): session closed for user root