How to Monitor Linux Server Users in Real Time

Under many scenarios, you may never allow other users to login to your Linux server, and you can still function successfully. In rare cases, however, you might need to give certain users SSH accounts to allow them limited access to command line functions within a chroot jail. In those situations, you need a tool that can keep an eye on users and give you details about the programs they use.

A linux program called whowatch does all of that and more. It is a console program but uses ncurses to display the semblance of a graphical program. It has a complete menu-driven interface with several features, including:

  • a real-time list of logged-in users
  • the user’s hostname
  • the current process the user is actively running
  • the process tree for a selected user
  • the ability to kill user processes

When you first start whowatch, you will see an interface that looks like this:

4 users: (2 local, 0 telnet, 0 ssh, 2 other) load: 0.70, 0.37, 0.49

(init) user pts/0 :0 –
(konsole) user pts/2 :0 whowatch
(init) ctd tty1 top
(login) ctd tty1 top

From this you can tell that “user” (your own username) is logged in and using the terminal emulator called “konsole” to run the whowatch program. The user “ctd” is logged into the console and is running the “top” command.

In addition to the above view, you can also see a tree view of processes from users:

1927 user | `- ksysguardd
1914 user |- /usr/bin/knotify4
1905 user |- /usr/bin/kactivitymanagerd
1801 root |- /usr/lib/upower/upowerd
1794 user |- /usr/bin/kwalletd
1788 user |- /usr/bin/kglobalaccel
1781 user |- /usr/lib/gvfs//gvfs-fuse-daemon /home/user/.gvfs
1776 user |- /usr/lib/gvfs/gvfsd
1770 user |- kdeinit4: kded4 [kdeinit]
1767 user |- kdeinit4: kdeinit4 Running…
14116 user | |- kdeinit4: klauncher [kdeinit] –fd=13
5432 user | |- /usr/lib/firefox-5.0/firefox-bin

Whowatch is a free and open source program available through most Linux distribution repositories. For more detailed instructions, type “man whowatch” from the command line.