How to list logged-in users in Linux

Listing logged-in users in Linux helps administrators understand who currently has access to a system and where connections originate. Monitoring active sessions improves accountability, reveals idle or stuck logins, and can highlight unexpected remote access attempts.

User logins are tracked through session records stored in binary databases such as utmp and wtmp, which are read by standard utilities. Commands like who and w provide a real-time view of active sessions, including terminal identifiers, login times, and remote host information. Tools such as last and lastlog query historical and per-user records to reconstruct previous login activity.

Access to these utilities normally requires only standard user privileges, but their output can reveal sensitive information such as usernames, hostnames, and IP addresses. Historical records may be rotated or truncated by log management policies, so very old sessions might no longer appear. On hardened systems, some fields may be anonymized or limited, and remote addresses might reflect bastion hosts or jump servers instead of original client IPs.

Steps to check currently logged-in users in Linux:

Open a terminal on the Linux system.
```
$ whoami
user
```
Run the who command to list users currently logged in with their terminals and login times.

The output lists each active session with the username, terminal, login time, and remote host where applicable.
```
$ who
user     pts/0        2026-01-10 12:15 (203.0.113.10)
```

Use the w command to display logged-in users along with their current processes and system load averages.

This view adds process information, idle time, and load averages to help identify busy or idle sessions.

$ w
 12:15:48 up 6 min,  2 users,  load average: 0.50, 0.18, 0.07
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU  WHAT
user              203.0.113.10     12:15    6:33   0.00s   ?    sshd: user [priv]
user              203.0.113.10     12:14    6:33   0.00s  0.01s sshd: user [priv]

Run the last command to review recent login sessions, including when each user logged in and out.

This history view helps identify previous access patterns and unexpected or failed sessions if logged.

$ last
user     pts/0        203.0.113.10     Sat Jan 10 12:15   still logged in
user     pts/0        203.0.113.10     Sat Jan 10 12:15   still running
user     pts/0        203.0.113.10     Sat Jan 10 12:15   still running
user     pts/0        203.0.113.10     Sat Jan 10 12:15   still running
reboot   system boot  6.8.0-90-generic Sat Jan 10 12:09   still running
reboot   system boot  6.8.0-84-generic Thu Jan  8 19:28 - 19:33  (00:04)

Print only unique usernames of currently logged-in users by combining who with awk, sort, and uniq.

This command reduces the session list to a distinct set of usernames without duplicates.
```
$ who | awk '{print $1}' | sort | uniq
user
```

Use the lastlog command to check the last login of a specific user.

The lastlog output shows the last login timestamp, terminal, and remote host recorded for the selected user.

$ lastlog -u user
Username         Port     From                                       Latest
user             pts/0    203.0.113.10                             Sat Jan 10 12:15:48 +0800 2026

Confirm that the current session appears in the login records using who am i.

This command shows the record associated with the active terminal and verifies that session tracking is working correctly.
```
$ who am i
user     pts/0        2026-01-10 12:15 (203.0.113.10)
```
Close the terminal after reviewing the login and history information.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.