How to Track and Manage Linux User Activity with Built‑in Commands

Why monitor Linux users?

Monitoring who is logged into a Linux server and what they are doing is a basic skill for developers and administrators. Heavy‑weight tasks such as compiling large programs can consume resources and slow down the system, so identifying the responsible user helps restore normal operation.

whoami – show the current user

[alvin@VM_0_16_centos ~]$ whoami
alvin

who – list all logged‑in users

[alvin@VM_0_16_centos ~]$ who
alvin    pts/0        2018-12-09 07:25 (116.199.***.**)
root     pts/1        2018-12-09 11:05 (116.199.***.**)
alvin    pts/2        2018-12-09 11:05 (116.199.***.**)
harry    pts/3        2018-12-09 11:06 (116.199.***.**)
kate     pts/4        2018-12-09 11:08 (116.199.***.**)
alvin    pts/5        2018-12-09 11:53 (116.199.***.**)

The first column is the username, the second column shows the terminal (tty for local, pts for remote), and the third column displays the login time.

users – concise list of logged‑in usernames

[alvin@VM_0_16_centos ~]$ users
alvin alvin alvin harry kate root

w – detailed view of user activity

[alvin@VM_0_16_centos ~]$ w
16:25:54 up 29 days,  6:05,  6 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM               LOGIN@  IDLE   JCPU   PCPU WHAT
alvin    pts/0    116.199.***.**     07:25   2.00s  0.11s 0.00s w
root     pts/1    116.199.***.**     11:05   5:20m 0.02s 0.02s -bash
alvin    pts/2    116.199.***.**     11:05   5:20m 0.04s 0.05s sshd: alvin [priv]
harry    pts/3    116.199.***.**     11:06   4:33m 18.08s 18.06s watch date
kate     pts/4    116.199.***.**     11:08   4:33m 10.51s 10.48s top
alvin    pts/5    116.199.***.**     11:53   4:32m 0.02s 0.02s -bash

The first line mirrors the output of uptime (current time, system uptime, number of logged‑in users, load average). The following columns are:

USER : login name (appears multiple times if the same user has several sessions).

TTY : terminal used for the login.

FROM : remote host IP.

LOGIN@ : login time.

IDLE : idle time since the last activity.

JCPU : cumulative CPU time used by all processes attached to that terminal.

PCPU : CPU time used by the process shown in the WHAT column.

WHAT : the command currently running.

To view activity for a specific user, append the username to w (e.g., w alvin).

last – historical login records

[alvin@VM_0_16_centos ~]$ last
alvin    pts/5        116.199.***.**   Sun Dec  9 11:53   still logged in
kate     pts/4        116.199.***.**   Sun Dec  9 11:08   still logged in
harry    pts/3        116.199.***.**   Sun Dec  9 11:06   still logged in
...

The last command reads from /var/log/wtmp and shows, for each session, the username, tty, source IP, login time, logout time (or “still logged in”), and total session duration. To filter by a specific user, add the username (e.g., last alvin).

pkill – terminating problematic sessions

After identifying a user who is consuming resources or acting maliciously, you can terminate all of their processes. The command pkill -u username kills every process owned by that user, but it is risky because it may affect system stability. pkill -u alvin A safer approach is to target a specific terminal or process. For example, to kill all processes on pts/3: sudo pkill -kill -t pts/3 This removes the offending session without rebooting the whole system.