Instantly Track Any Linux User’s Commands with Bash History, w, and Sysdig

Bash History

Most Linux distributions use bash as the default shell, which records every command a user runs in the .bash_history file located in the user’s home directory. By reading this file you can see what commands have been executed in the past: sudo cat /home/gtwang/.bash_history Note that .bash_history is only updated when the shell session ends, so it does not provide real‑time visibility of newly entered commands.

Using the w Command

The w command lists all users currently logged into the system and shows the command each user is actively running. Example output:

17:34:23 up 35 min, 2 users,  load average: 0.49,0.62,0.77
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
gtwang   tty7     :0               16:58    2:17   0.12s /sbin/upstart -
gtwang   tty2                     17:33   5.00s 0.10s 0.05s - bash

This provides a quick snapshot of who is logged in and what they are doing at the moment.

Monitoring with Sysdig

Sysdig is a powerful system‑level monitoring tool that captures events directly from the Linux kernel. Its user‑monitoring feature can display every command executed by each user in real time.

Install Sysdig on Ubuntu: sudo apt-get install sysdig After installation, run the following command to start live user‑command tracing: sudo sysdig -c spy_users The output includes the user’s shell process ID, the command being run, and the execution timestamp. Because the data is collected from the kernel, the information appears instantly as soon as a user issues a new command.