Quickly discover who is logged in, from where, and what they are doing using simple command-line tools. 18.11.2025 | reading time: 2 min Who is on the system right now and what is he doing: get the answer fast with tools like `who`, `w` and `loginctl` so you can audit activity, react to suspicious access, or simply help a colleague. Quick Example Run these commands on a shell to see live sessions and an overview; the first shows simple logins, the second gives fuller context including idle time and current process: ```bash $ who alice pts/0 2025-11-18 09:12 (:0) bob pts/1 2025-11-18 10:05 (192.168.1.5) $ w 10:30:01 up 3 days, 2:41, 2 users, load average: 0.01, 0.05, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT alice pts/0 :0 09:12 1:15m 0.10s 0.10s -bash bob pts/1 192.168.1.5 10:05 3:22 0.05s 0.05s sshd: bob ``` Choose the Right Command Use `who` for a compact snapshot, `w` for active process and idle information, and on systemd systems run `loginctl list-sessions` to map sessions to systemd users; each tool reads different records and serves different needs, so try them in sequence and act on what you see. Other Useful Observations Inspect historical logins with `last`, check raw records in /var/run/utmp and /var/log/wtmp for forensic timelines, and combine session checks with `ss` or `netstat` when you need to link logins to network sockets or troubleshoot remote access. Wrap Up and Next Steps Listing active sessions is a small skill with big impact: practice the commands on test systems, build quick scripts to report anomalies, and deepen your knowledge toward certifications like CompTIA Linux+ or LPIC-1 with intensive exam preparation at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. utilities security processes troubleshooting
