How to know who logged into your data center Linux servers

With a simple command, you can find out which users logged into your data center Linux servers and prevent them from doing harm.

How to know who logged into your data center Linux servers

Users log in and out of your data center Linux servers all day. As the admin of those systems, you are charged with knowing every single thing that goes on with those servers and what to do to keep them reliable and secure.

But how do you know who is logged into those Linux servers and what they're doing? This might seem like a daunting task, but since you're using Linux this task is not only simple, but it's built right into the servers. With the use of a single command, you can find out what's going on under your nose. It's so simple, every Linux admin should be able to do this.

SEE: Hiring kit: Database administrator (Tech Pro Research)

So how do you find out? By using the w command.

What is w?

The w command stands for both who and what because that's what it displays. From the w man page: w displays information about the users currently on the machine and their processes. The header shows, in this order, the current time, how long the system has been running, and how many users.

Since w is already installed on your system, you're set to go.

Let's see how to use w.


Log into your Linux data center server and issue the command:


The output of the command will display who is currently logged into the machine and what command they are using (Figure A).

Figure A

Figure A: Two users logged into the system, each using different tools.

As you can see, user olivia is logged into the data center server but has secure shell'd into a machine at Is she allowed to do this? If not, you can always kill that SSH session by first finding out it's PID with the command:

ps -ef | grep olivia

The output of the above command will list all PIDs of all processes associated with the user olivia. As you can see (Figure B), the ssh PID is 27306.

Figure B

Figure B: Everything user olivia is doing on the system.

Issue the following command to kill the ssh session:

sudo kill 27306

From the same listing (after running the ps -ef |grep olivia command above), you can see that the PID of olivia's login session is 27299 (denoted by pts/1). Kill that PID with the command:

sudo kill 27299

The above command will effectively log olivia out. Considering you've also seen the IP address she's logged into from, you can act accordingly to block that address from having access to the server (if necessary).

Use wisely

Had the user olivia been doing something nefarious, hopefully, you've stopped her. Of course, if she were a user allowed to be on that server, you probably wouldn't kill her session. However, this is an easy way to keep tabs on who's logged into those data center Linux servers and what they are doing. Use the w command wisely and it might help you prevent a rogue user from doing something they shouldn't on your data center servers.

Also see

Image: Jack Wallen