Monitoring User Logins In UNIX

Here are some of the commands and files that you may want to check out if you want to monitor your users’ login activity on a Unix box (BSD/Solaris)

The concerned files (Solaris):

  • /var/adm/utmp(x)
  • /var/adm/wtmp(x)
  • /var/adm/lastlog

The Commands:

  • users*
  • who
  • w
  • ac*
  • last
  • *may not be available in Solaris?

All sample outputs show on this post are from: `uname -a`

SunOS unixbox 5.9 Generic sun4u sparc SUNW,Ultra-5_10

utmp, wtmp and lastlog

First of all, these files are not regular text files. Doing a more, cat or less on these files will only output garbage data. Whenever users log in a (Solaris) box, these three files are read and updated.

The /var/adm/lastlog File

All the information of a user’s last log in are recorded or saved in this file. The utility that keeps track of these item is the login utility. When a user logs in, it will then update the file and make a new entry – that is, the new itme of the new login etc.

Here’s a typical output when a user logs in:

login: razile

Last login: Fri Oct 21 21:50:02 2007 from
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
razile@unix-box %

Here’s what happening… The login utility prompts for the username and waits for the password. If the authentication is successful, it will then read the /var/adm/lastlog file to check when was the last time this particular user had logged in. And it looks like it’s on 21st of October from

The /var/adm/utmp(x) File

The utmpx file contains information about users who are currently logged in. Again, this is no ordinary text file and cannot be read by plain old less or more. To read this file, you could use any of the following: w, who or users.

users in Solaris can be found by default on the /usr/ucb directory

users command can be used to plainly see who are currently online. Not much info are show but who is logged in.

# /usr/ucb/users
razile root amkor nav 100serv

w shows a much more detailed view of the users who are logged in the system.

# w
1:55am 2 users, load average: 0.04, 0.02, 0.02
User tty login@ idle JCPU PCPU what
razile pts/2 1:51am 3 w
root pts/9 Tue 9pm 2days bash
root pts/7 27Jul0745days 6 /sbin/sh
root pts/8 10Aug0778days /sbin/sh

The output shows that there are currently 2 users logged in the machine – razile and root – with root using 2 terminals and razile pts/2. Take note of the last column. It’s shows what was the command being executed by the user.

The who command has almost the same output as w but without the last executed command unlike what was shown above.

# who
razile pts/2 Oct 27 01:51 (
root pts/9 Oct 23 21:14 (
root pts/7 Jul 27 14:05 (:0.0)
root pts/8 Aug 10 11:37 (:0.0)

What the last column shows here is the computer where the user connected from instead of the command executed.

who can also take an argument. For example, you want to see content of /var/adm/wtmpx instead of the default (for who) /var/adm/utmpx:

# who /var/adm/wtmpx

last is the command that looks into the /var/adm/wtmpx by default. Last will list the sessions of specified users, ttys, and hosts, in reverse time order, that is the latest entry first unlike if you use who on wtmpx – it will display the oldest entry first.

razile@unixbox->who /var/adm/wtmpx | more
user1 ftp3800 Oct 26 23:45 (nfsbox )
user2 ftp3980 Oct 27 00:00 (
user5 ftp3990 Oct 27 00:02 (nfsbox )
user9 ftp3991 Oct 27 00:02 (
user8 ftp3992 Oct 27 00:02 (nfsbox )

razile@unixbox->last | more
user1 ftp nfsbox Sat Oct 27 02:31 – 02:32 (00:00)
user2 ftp nfsbox Sat Oct 27 02:24 – 02:25 (00:00)
user5 ftp nfsbox Sat Oct 27 02:19 – 02:19 (00:00)
user9 ftp nfsbox Sat Oct 27 02:18 – 02:19 (00:00)
user8 ftp nfsbox Sat Oct 27 02:18 – 02:18 (00:00)

The utilities w, who, and users display information contained in the file /var/run/utmp; the utilities last and ac display the information contained in /var/log/wtmp.

3 thoughts on “Monitoring User Logins In UNIX”

Leave a Reply

Your email address will not be published. Required fields are marked *