Who is *really* logged in?

Brad De Vries devriesbj at gmail.com
Mon Oct 22 12:19:16 PDT 2007 

On 10/22/07, Ben Duncan <linux4ms at aim.com> wrote:
> Ok ... here goes some EXPLANATION ....
>
> Brad De Vries wrote:
> > Hey all, I'm curious if someone can answer this question.  I ran a few
> > commands and it's not entirely clear to me.
> >
> > $ who /var/log/wtmp | wc -l
>
> the who done in this matter will parse the FILE. IT shows all the
> history of logins. I could have an empty file, login and log out
> and then log in again and would now have 2 entries in the system.
> It is true historical in nature.
>
> > 23291
> > $ who | wc -l
> > 579
>
> who a w both use the /var/run/utmp file for gathering active users,
> as does uptime.
>
>
> > $ who /var/run/utmp | wc -l
> > 579
> > $ uptime
> >  11:39:04 up 97 days, 20:35, 579 users,  load average: 1.62, 1.05, 1.01
> > $ w | wc -l
> > 51
> >
>
> 'w' is going to ALSO  put some headers in the output ..
> TRY doing a
> 'who'
> and then a
> 'w'
>
> and see if they match. More than likely they will.
>
> > $ cat /etc/redhat-release
> > Red Hat Enterprise Linux AS release 4 (Nahant Update 5)
> >
> > I've gathered that wtmp is historical whereas utmp is current, so I
> > can accept the first two answers.  What I can't understand is why
> > "who" and "uptime" show 579 users and "w" only shows 51.
> >
> > The reason I started investigating this is because I see some users
> > logged in under "who" but when I try to "ps -ft pts/###" it responds
> > with "ERROR: TTY could not be found."
> >
> > Any thoughts?
> >
> > TIA,
> > Brad.
>
> Another thing to make sure of, is that you do not have any STALE wtmp / utmp
> files. Mine get rotated once a day by a cron job.
>
> --
> Ben Duncan - Business Network Solutions, Inc. 336 Elton Road  Jackson MS, 39212
> "Never attribute to malice, that which can be adequately explained by stupidity"
>         - Hanlon's Razor

Ben, your explanation of "who /var/log/wtmp" is consistent with what I
was reading in the man page but I was still a bit surprised that it
shows everyone as still being logged in.  I was expecting that it
would show only those logged in when the wtmp file was created.

As for headers and footers of the "who" and the "w" commands, there
are only two lines that are headers to the "w" command so if I
consider them I'm still getting:
    who: 579 users
    w: 49 (51 - 2) users

Thanks,
Brad.

More information about the Linux-users mailing list