As a system administrator, it’s important to keep track of the commands that users are running on your Linux server. This can help you identify any unauthorized activity or potential security breaches, and it can also help you troubleshoot issues or track down errors. In this article, we’ll explore some common commands that you can use to monitor user activity on your Linux system.
Who Command
The who command displays a list of all users who are currently logged in to your system, along with their terminal or console session. It also shows the time they logged in and the IP address from which they are connecting. To use the who command, simply type the following code command in a terminal or console session:
whohappyfeet pts/0 2023-03-07 09:36 (192.168.1.10)
skippingfeet pts/1 2023-03-07 10:22 (192.168.1.15)Last Command
The last command displays a list of all recent logins to your system, including both successful and unsuccessful login attempts. It also shows the time and date of each login, as well as the IP address from which the user connected. To use the last command, type the following code command in a terminal or console session:
lasthappyfeet pts/0 192.168.1.10 Mon Mar 7 09:36 still logged in
skippingfeet pts/1 192.168.1.15 Mon Mar 7 10:22 still logged in
happyfeet pts/0 192.168.1.10 Sun Mar 6 16:10 - 17:12 (01:02)
skippingfeet pts/1 192.168.1.15 Sun Mar 6 14:45 - 16:05 (01:19)
happyfeet pts/0 192.168.1.10 Sat Mar 5 20:30 - 22:11 (01:41)
W Command
The w command provides a detailed summary of all users who are currently logged in to your system, including their username, terminal session, and the processes they are running. It also shows the load average of the system and the time since it was last booted. To use the w command, type the following code command in a terminal or console session:
w 09:36:32 up 20 days, 19:12, 2 users, load average: 0.14, 0.10, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
happyfeet pts/0 192.168.1.10 Mon09:36 0.00s 0.03s 0.01s w
skippingfeet pts/1 192.168.1.15 Mon10:22 4:57m 0.01s 0.01s -bashId command
The id command displays information about the user who is currently logged in, including their user ID (UID) and group ID (GID), as well as the groups they belong to. This can be useful for verifying the identity of a user or checking their permissions. To use the id command, type the following code command in a terminal or console session:
iduid=1000(happyfeet) gid=1000(happyfeet) groups=1000(happyfeet),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
Ps command
The ps command is used to display information about the running processes on your system, including the user who started the process, the process ID (PID), and the CPU and memory usage. By filtering the output of the ps command, you can monitor specific processes or track the activity of a particular user. To use the ps command, type the following code command in a terminal or console session:
ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.4 168964 8972 ? Ss Feb15 171:12/sbin/init splash
root 2 0.0 0.0 0 0 ? S Feb15 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< Feb15 0:00 [rcu_gp]
root 4 0.0 0.0 0 0 ? I< Feb15 0:00 [rcu_par_gp]
happyfeet 1010 0.0 0.0 23584 4060 pts/0 Ss Mar06 0:00 bashHtop command
The htop command is an interactive process viewer that displays information about the running processes on your system, similar to the ps command. However, htop provides a more user-friendly interface, with color-coded displays and the ability to sort processes by various criteria. To use the htop command, type the following code command in a terminal or console session:
htop