The command w in Linux: see connected users and their activity

Posted onbyBlockmyIP| Category:Linux terminal commands

Introduction

In Linux system management, knowing who is connected and what you are doing at every moment is essential to detect performance problems, security audits or simply to help a user.

What is command w?

The w command is a standard utility that shows a summary of the users currently connected to the system, along with the average load and time each has been inactive. Combine information about who, upgrade and ps in one view.

Basic syntax and most used options

The simplest way is to runwNo arguments. However, it has several options to filter or change the output format.

  • -h: omits the headline.
  • -s: use the short format, without login time, JCPU and PCPU.
  • -f: alters the display of the FROM field (the hostname or IP from where it was connected).
  • -u: ignores the user name when calculating the load and times.
  • usuario: shows only the information of a particular user.

Understanding the output of w

The typical output includes several columns:

  • USER: name of the user who started the session.
  • TTY: associated terminal or pseudo-terminal.
  • FROM: host or IP from which the connection originated (may be hidden with -f).
  • LOGIN @: time the user started to log in.
  • IDLE: time that has been out of activity.
  • JCPU: CPU time used by all processes linked to that terminal.
  • PCPU: CPU time used by the process currently in the foreground.
  • WHAT: command or application that the user is running at that time.

In addition, the first line of the output shows the current time, the time the system has been on, the number of users connected and the average load of 1, 5 and 15 minutes.

Practical examples

  • See all users with short format: w -s
  • Hide header to process output with scripts: w -h
  • Show only the activity of the user 'juan': w juan
  • Disable the FROM column to save width: w -f
  • Combine options: w -hs juan(hidden header, short format, only juan)

Tips and tricks for administrators

Although w provides an immediate view, combining it with other tools improves monitoring:

  • Usewatch -n 5 wto update the screen every five seconds and detect real-time changes.
  • In audit scripts, remove the WHAT field withawk '{print $11}'(adjusting according to the presence of FROM).
  • If you need to save a history, redirect the output to a timestamp file:date +"%Y-%m-%d %H:%M:%S" >> wlog.txt && w >> wlog.txt
  • On servers with many users, combine w withgrepto quickly locate a suspicious user.

Conclusion

The w command is a light but powerful tool that any Linux administrator should have at hand. It provides, in a single look, essential information about who is connected, what is it doing and how it affects the performance of the system. Domain your options and know how to combine it with watch, awk or readdresses will allow you to perform monitoring and diagnosis tasks more efficiently.

This work is under aCreative Commons License Attribution 4.0 International for Francesc Roig francesc @ vivaldi.net.

EnglishenEnglishEnglish
SpanishesSpanishEspañolEnglishenEnglishEnglish