Viewing users' system access

Slashdot it! Delicious Share on Facebook Tweet! Digg!

History Book

In addition to the active connections, simple system archeology sheds light on activities from the past. By searching the file /var/log/auth.log , you can figure out which users have logged in and logged out. As the admin user, you can also see the last 10 activities using sshd . In Listing 11, you can see who logged in, who logged out, and any errors.

Listing 11

Examining auth.log

# grep sshd /var/log/auth.log | tail
Aug 26 14:42:36 efho-mobil sshd[31609]: pam_unix(sshd:session): session closed for user test
Aug 26 14:43:13 efho-mobil sshd[31087]: pam_unix(sshd:session): session closed for user test
Aug 26 14:47:38 efho-mobil sshd[31091]: pam_unix(sshd:session): session closed for user test
Aug 26 20:46:21 efho-mobil sshd[4165]: Server listening on port 22.
Aug 26 20:46:21 efho-mobil sshd[4165]: Server listening on :: port 22.
Aug 26 20:46:31 efho-mobil sshd[4165]: Received signal 15; terminating.
Aug 26 20:46:31 efho-mobil sshd[4531]: Server listening on port 22.
Aug 26 20:46:31 efho-mobil sshd[4531]: Server listening on :: port 22.
Aug 27 14:07:53 efho-mobil sshd[730]: Accepted password for test from ::1 port 40402 ssh2
Aug 27 14:07:53 efho-mobil sshd[730]: pam_unix(sshd:session): session opened for user test by (uid=0)

The last tool (installed by default on Ubuntu) provides an overview of the last user sessions. It parses the /etc/log/wtmp file and provides all the activities associated with the login and logout time in reverse order (i.e., the most recent events appear at the top). Listing 12 shows an excerpt from the logged activities where the login, the terminal, the computer of origin, and the time of use are displayed. Currently logged-in users can be identified by the words still logged in in the last column.

Listing 12

Excerpt of Logged Activities

# last
frank   pts/9           :0.0                            Wed Aug 27 14:09                still logged in
test            pts/7           localhost               Wed Aug 27 14:07                still logged in
frank   pts/1           :0                              Tue Aug 26 20:46                still logged in
frank   tty7                    :0                              Tue Aug 26 20:46                still logged in
reboot  system boot     3.2.0-4-686-pae Tue Aug 26 20:46        -       16:18   (19:32)
test            pts/17  Tue Aug 26 14:32        -       14:47   (00:14)

The lastlog command (included by default on Ubuntu) shows you which authorized users have logged in. It scans the /etc/log/lastlog file and sorts the output with the user data in /etc/passwd . Listing 13 shows the login names, the terminal, the source IP address, and the last time the user logged in.

Listing 13

Output from lastlog

01 # Username   Port                    from                            last
02 root                 tty5                                                    Tu Jun 10 16:34:26 +0200 2014
03 www-data                                                                     **Never yet logged in**
04 frank                        pts/10          localhost               Mo Aug 25 16:31:09 +0200 2014
05 kurs                 pts/3   Di Sep 14 14:09:25 +0200 2010
06 #


The tools presented here can give you a clear overview of which users have been on or not been on the systems you manage. You can also obtain insight into the current state of the system and look back at who accessed the system in the past.

Further information about the users can be obtained by using the finger , cfinger , or pinky tools. Gnome enthusiasts can find information in the gnome-nettool program, which uses a nice graphical interface.


The author thanks Wolfram Eifler and Axel Beckert for their input and comments for this article.


  1. Mosh mobile shell:
  2. "Persistence: SSH over unreliable connections" by Axel Beckert, Linux Magazine , Issue 144, 2012:
  3. whowatch,
  4. Netstat:
  5. ss: Display Linux TCP/UDP Network and Socket Information:

Buy this article as PDF

Express-Checkout as PDF

Pages: 5

Price $0.99
(incl. VAT)

Buy Ubuntu User

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Finding dynamic IP addresses

    What are the IP addresses for your router, laptop, and coffee maker? Clever Linux tools come to the rescue to help you get this information.

  • Pyspread – The Spreadsheet with a Python connection

    You can find plenty of spreadsheets offering a multitude of features. The Python-based Pyspread demonstrates that a sophisticated spreadsheet application can also be newcomer-friendly.

  • Ubuntu 2014

    Jono takes a look at development in the year ahead.

  • Installing and testing Nextcloud

    Leading ownCloud developers, including the project founder Frank Karlitschek, became dissatisfied with the direction of the project, so they started Nextcloud, a fork of the code and a new company. The goal is to create a better balance among the company, clients, and users. We take a look at how Nextcloud is faring.

  • GNOME Cleartext Passwords: Bug or Feature?

    The current discussion in the Ubuntu forums is about a possible security hole in GNOME, specifically about GNOME registered users having their passwords appear as cleartext on the keyring. Not a bug, say its defenders, but the security concept behind the GNOME keyring.