How to access user activity on Linux

Finger command

A handy command to track user activity is the finger . This command allows you to see who is logged in or just focused on a user's activity information, see when was last logged in, where to log in from, etc.In this example, we will track activity action of user name nemo.

$ finger nemo Login: nemo Name: Nemo Demo Directory: /home/nemo Shell: /bin/bash On since Fri Jun 19 12:58 (EDT) on pts/1 from 192.168.0.6 7 minutes 47 seconds idle New mail received Wed Jun 17 18:31 2020 (EDT) Unread since Sat Jun 13 18:03 2020 (EDT) No Plan.

We can see the full name, main directory, and shell of nemo. We can also see nemo's most recent login and email activity. Offices, office phones, and home phones appear only if they are specified in the / etc / passwd file with the full name field. For example:

nemo:x:1001:1001:Nemo Demo,11,540-222-2222,540-333-3333:/home/nemo:/bin/bash).

The output above also indicates that nemo has no "plan" at all, but this just means that this user did not create a .plan file and put some text into it; Nothing out of the ordinary.

Without an argument, the finger command will display a list of current logins in the format shown below. You can see when they log in, the IP address they used, the terminal they were using (for example, pts / 1)

$ finger Login Name Tty Idle Login Time Office Office Phone nemo Nemo Demo pts/1 1:24 Jun 19 12:58 (192.168.0.6) shs Sandra Henry-Stocker pts/0 Jun 19 12:57 (192.168.0.60

W command

The w command also provides a nicely formatted list of currently active users including free time and which command they last ran. It also displays the time the system has been operating in the top line and provides a load average to know the level of system activity. In this case (0.00 until the end of minutes 1, 5 and 15), the system will largely be zero. 

$ w 14:23:19 up 1 day, 20:24, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT shs pts/0 192.168.0.6 12:57 0.00s 0.14s 0.01s w nemo pts/1 192.168.0.6 12:58 1:24m 0.03s 0.03s -bash

Command id

With the id command , you can view the user ID number and group ID (ID of each member of the group). This information is taken from / etc / passwd and / etc / group files . There are no arguments, the id command reports information for your account.

$ id uid=1000(shs) gid=1000(shs) groups=1000(shs),4(adm),11(admin),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),128(sambashare),500(devops) $ id nemo uid=1001(nemo) gid=1001(nemo) groups=1001(nemo),16(fish)

The auth.log command

You can get information from the file /var/log/auth.log with commands like grep . To display the most recent login activity using the auth.log data , issue the following command:

$ grep "New session" /var/log/auth.log | awk '{print $1,$2,$3,$11}' | tail -5 Jun 17 17:22:38 shs. Jun 17 17:58:43 gdm. Jun 17 18:09:58 shs. Jun 19 12:57:36 shs.

Last command

The last command is the best method to view recent logins of all users or an individual. Remember that the most recent activity will be displayed first because this is the information most admins are most interested in.

$ last | head -5 nemo pts/1 192.168.0.6 Fri Jun 19 12:58 still logged in shs pts/0 192.168.0.6 Fri Jun 19 12:57 still logged in shs pts/0 192.168.0.6 Wed Jun 17 18:10 - 18:42 (00:32) reboot system boot 5.4.0-37-generic Wed Jun 17 17:58 still running shs pts/2 192.168.0.6 Wed Jun 17 17:22 - 17:57 (00:34) $ last nemo | head -5 nemo pts/1 192.168.0.6 Fri Jun 19 12:58 - 16:21 (03:22) nemo pts/2 192.168.0.6 Sat Jun 13 17:49 - 19:05 (01:16) nemo pts/1 192.168.0.6 Thu Jun 4 17:33 - 17:44 (00:10) nemo pts/1 192.168.0.19 Mon May 11 19:04 - 19:57 (00:52) nemo pts/1 192.168.0.19 Tue May 5 12:46 - 17:49 (05:02)

Du command

The du command will report how much space each user's home directory is using if running each of the / home directories like this:

$ sudo du -sk /home/* 289 /home/dorothy 116 /home/dory 88 /home/eel 28 /home/gino 28 /home/jadep 12764 /home/nemo 732 /home/shark 418046 /home/shs 108 /home/tadpole

By default, sizes are reported in 1024 bytes units.

Ps command and history

For users currently logged in, you can always use commands like ps -ef | grep ^ nemo to see which commands and processes the user is currently running. To view the commands that were previously run, you can try viewing the user's history files (e.g. .bash_history), but note that the user can set up his account so that certain commands do not appear. in the history file and they can also edit these files if desired.

Count the login number

If you want to see the number of times each of your users has logged in since the / var / log / wtmp file was last run, use a command like this:

$ for USER in `ls /home` > do > cnt=`last $USER | grep ^$USER | wc -l` # count logins > echo $USER: $cnt # show login count > done

The output will look like this:

dorothy: 0 dory: 0 eel: 8 gino: 0 jadep: 102 nemo: 39 shark: 50 shs: 105 tadpole: 0

If you want more details, you can order a more complex script, possibly adding some additional information such as login details and formatting.

#!/bin/bash sepline="====================" for USER in `ls /home` do len=`echo $USER | awk '{print length($0)}'` # get length of username echo $USER sep="${sepline:1:$len}" # set separator echo $sep # print separator cnt=`last $USER | grep ^$USER | wc -l` # count logins echo logins: $cnt # show login count last $USER | grep ^$USER | head -5 # show most recent logins echo

The above script is limiting the data displayed in the last five logins, but can easily change that if desired. Here's how the data for a user will be formatted:

shs === logins: 105 shs pts/0 192.168.0.6 Fri Jun 19 12:57 still logged in shs pts/0 192.168.0.6 Wed Jun 17 18:10 - 18:42 (00:32) shs pts/2 192.168.0.6 Wed Jun 17 17:22 - 17:57 (00:34) shs pts/0 192.168.0.25 Wed Jun 17 17:20 - 17:57 (00:36) shs pts/1 192.168.0.6 Wed Jun 17 15:19 - 17:57 (02:38)