The w command displays a list of logged in users and their actions.
The output appears similar to:
# w
13:38:57 up 88 days, 12:38, 3 users, load average: 0.06, 0.12, 0.16
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/1 10.0.0.12 Mon 1pm 45:39m 0.17s 0.17s -bash
username pts/2 myname-laptop.do 12:12pm 0.00s 0.06s 0.01s sshd: username [priv]
root pts/3 hostname.domain. Sun 6pm 3days 0.05s 0.05s -bash
The last command searches the /var/log/wtmp file and displays a list of all users that have logged in and out since the file was created.
The output appears similar to:
# last
username pts/2 myname-laptop.do Thu Apr 3 12:12 still logged in
root pts/2 myname-laptop.do Thu Apr 3 11:25 - 11:40 (00:14)
Note: Run last reboot to display a list of all reboots since var/log/wtmp was created.
The who command displays a list of users that are currently logged into the server.
The output appears similar to:
# who
root pts/1 Mar 31 13:52 (10.0.0.12)
username pts/2 Apr 3 12:12 (myname-laptop.domain.com)
root pts/3 Mar 30 18:48 (hostname.domain.com)
The fuser command is used to terminate unwanted sessions (that is, sessions that the w or last commands report as open).
Note: the fuser command may not be available on earlier versions of ESX 3.5.
The output appears similar to:
# w
13:50:54 up 88 days, 12:50, 3 users, load average: 0.52, 0.40, 0.24
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/1 10.0.0.12 Mon 1pm 45:51m 0.17s 0.17s -bash
username pts/2 myname-laptop.do 12:12pm 0.00s 0.05s 0.01s sshd: username [priv]
root pts/3 hostname.domain. Sun 6pm 3days 0.05s 0.05s -bash
# fuser -k /dev/pts/1
/dev/pts/1 1699
# w
username pts/2 myname-laptop.vm 12:12pm 0.00s 0.05s 0.01s sshd: username [priv]
root pts/3 hostname.domain. Sun 6pm 3days 0.05s 0.05s -bash
The fuser command can also be used to associate a process ID with an application that has an open network port. Use the fuser command to map process IDs with network ports (like SSH). If you know a process ID and what it is doing (rebooting, for example) and associate it to an SSH port, you can identify the connection means of a user that initiated a reboot.
The output appears similar to:
# fuser ssh/tcp
ssh/tcp: 1031 4622 12190 29655 29670
# ps -ef |grep 1031
root 1031 1 0 Jan06 ? 00:00:00 /usr/sbin/sshd
root 4622 1031 0 Mar30 ? 00:00:00 sshd: root@pts/3
root 12190 1031 0 Mar31 ? 00:00:08 sshd: root@pts/1
root 29655 1031 0 12:12 ? 00:00:00 sshd: username [priv]
root 1312 29778 0 14:04 pts/2 00:00:00 grep 1031