Assess User Activity

If you’re managing a Linux server, it’s good to be ready with a number of commands that you can use to check user activity – when your users are logging in and how often, what groups they belong to, how much disk space they’re consuming, what command they're running, how much disk space they're occupying, if they’re reading their mail and more.

In this post, we'll look at a number of commands that can help you understand who your user are and how they work.

finger

Can see who is logged in (without any arguments)

$ finger
Login    Name                  Tty      Idle  Login Time   Office     Office Phone
nemo     Nemo Demo             pts/1    1:24  Jun 19 12:58 (192.168.0.6)
shs      Sandra Henry-Stocker  pts/0          Jun 19 12:57 (192.168.0.60

With arguments - focuses into individual user

$ finger nemo
Login: nemo                             Name: Nemo Demo
Directory: /home/nemo                   Shell: /bin/bash
On since Fri Jun 19 12:58 (EDT) on pts/1 from 192.168.0.6
   7 minutes 47 seconds idle
New mail received Wed Jun 17 18:31 2020 (EDT)
     Unread since Sat Jun 13 18:03 2020 (EDT)
No Plan.

The output above also indicates that nemo doesn't have a "plan", but this just means that he hasn't created a .plan file and put some text into it; this is not at all unusual.

w

The w command also provides a nicely formatted list of currently active users

id

The id command, you can view a user's numeric ID and group ID along with what groups the user is a member of. This information is pulled from the /etc/passwd and /etc/group files. With no arguments, id reports the information for your account.

$ id
uid=1000(shs) gid=1000(shs) groups=1000(shs),4(adm),11(admin),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),128(sambashare),500(devops)
$ id nemo
uid=1001(nemo) gid=1001(nemo) groups=1001(nemo),16(fish)

auth.log

You can yank information from the /var/log/auth.log file with commands like grep. To show the most recent login activity using auth.log data

$ grep "New session" /var/log/auth.log | awk '{print $1,$2,$3,$11}' | tail -5
Jun 17 17:22:38 shs.
Jun 17 17:58:43 gdm.
Jun 17 18:09:58 shs.
Jun 19 12:57:36 shs.
Jun 19 12:58:44 nemo.

last

Probably the best for looking at recent logins for all users or one individual. Just remember that last shows the most recent activity first since this is the information that most admins are most interested in.

$ last | head -5
nemo     pts/1        192.168.0.6      Fri Jun 19 12:58   still logged in
shs      pts/0        192.168.0.6      Fri Jun 19 12:57   still logged in
shs      pts/0        192.168.0.6      Wed Jun 17 18:10 - 18:42  (00:32)
reboot   system boot  5.4.0-37-generic Wed Jun 17 17:58   still running
shs      pts/2        192.168.0.6      Wed Jun 17 17:22 - 17:57  (00:34)

$ last nemo | head -5
nemo     pts/1        192.168.0.6      Fri Jun 19 12:58 - 16:21  (03:22)
nemo     pts/2        192.168.0.6      Sat Jun 13 17:49 - 19:05  (01:16)
nemo     pts/1        192.168.0.6      Thu Jun  4 17:33 - 17:44  (00:10)
nemo     pts/1        192.168.0.19     Mon May 11 19:04 - 19:57  (00:52)
nemo     pts/1        192.168.0.19     Tue May  5 12:46 - 17:49  (05:02)

PreviousAccounts, Groups etc NextSCRIPTING & TEXT EDIT

Last updated 4 years ago

Was this helpful?

finger

Can see who is logged in (without any arguments)

$ finger
Login    Name                  Tty      Idle  Login Time   Office     Office Phone
nemo     Nemo Demo             pts/1    1:24  Jun 19 12:58 (192.168.0.6)
shs      Sandra Henry-Stocker  pts/0          Jun 19 12:57 (192.168.0.60

With arguments - focuses into individual user

$ finger nemo
Login: nemo                             Name: Nemo Demo
Directory: /home/nemo                   Shell: /bin/bash
On since Fri Jun 19 12:58 (EDT) on pts/1 from 192.168.0.6
   7 minutes 47 seconds idle
New mail received Wed Jun 17 18:31 2020 (EDT)
     Unread since Sat Jun 13 18:03 2020 (EDT)
No Plan.

The output above also indicates that nemo doesn't have a "plan", but this just means that he hasn't created a .plan file and put some text into it; this is not at all unusual.

$ id
uid=1000(shs) gid=1000(shs) groups=1000(shs),4(adm),11(admin),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),128(sambashare),500(devops)
$ id nemo
uid=1001(nemo) gid=1001(nemo) groups=1001(nemo),16(fish)

auth.log

You can yank information from the /var/log/auth.log file with commands like grep. To show the most recent login activity using auth.log data

$ grep "New session" /var/log/auth.log | awk '{print $1,$2,$3,$11}' | tail -5
Jun 17 17:22:38 shs.
Jun 17 17:58:43 gdm.
Jun 17 18:09:58 shs.
Jun 19 12:57:36 shs.
Jun 19 12:58:44 nemo.

last

$ last | head -5
nemo     pts/1        192.168.0.6      Fri Jun 19 12:58   still logged in
shs      pts/0        192.168.0.6      Fri Jun 19 12:57   still logged in
shs      pts/0        192.168.0.6      Wed Jun 17 18:10 - 18:42  (00:32)
reboot   system boot  5.4.0-37-generic Wed Jun 17 17:58   still running
shs      pts/2        192.168.0.6      Wed Jun 17 17:22 - 17:57  (00:34)

$ last nemo | head -5
nemo     pts/1        192.168.0.6      Fri Jun 19 12:58 - 16:21  (03:22)
nemo     pts/2        192.168.0.6      Sat Jun 13 17:49 - 19:05  (01:16)
nemo     pts/1        192.168.0.6      Thu Jun  4 17:33 - 17:44  (00:10)
nemo     pts/1        192.168.0.19     Mon May 11 19:04 - 19:57  (00:52)
nemo     pts/1        192.168.0.19     Tue May  5 12:46 - 17:49  (05:02)