All the popular Linux distributions, such as Ubuntu, Debian, Linux Mint, Fedora, and Red Hat, keep track of user logins, shutdowns, restarts, and how long the system is running.

This information can be very helpful for system administrators when investigating an incident, troubleshooting problems, or creating a report of user activity.

In Linux, system and application logs typically reside in the "/var/log/" directory, which can be accessed via the cat or journalctl command. However, there are other commands that use special files managed by the kernel to monitor user activity.

In this article, you will learn about those different commands that can help you check user login, shutdown, reboot logs, and the system's uptime.

Using Who Command

The who command in Linux can display user login-related information such as user account name, user terminal, time when the user logged in, host name, or IP address from where the user logged in.

Ezoic
$ who

Output:

check user login information in ubuntu

You can use the -b flag to check the current user login (or last reboot) date and time.

$ who -b

Output:

check user last reboot time in ubuntu

Using Last Command

The last command in Linux can display the list of user last logins, their duration, and other information as read from the "/var/log/wtmp" file.

$ last <username>

Output:

Ezoic
check the user last login in ubuntu

Instead of specifying the username, you can substitute it with the reboot parameter to get the time and date of the last reboot in Linux.

$ last reboot

Output:

get last user reboot in ubuntu

Using Uptime Command

The uptime command in Linux tells how long the system has been running by displaying the current time, uptime, number of logged-in users, and average CPU load for the past 1, 5, and 15 minutes.

$ uptime

Output:

check system uptime in ubuntu

Additionally, you can use the -p flag to show only the amount of time the system has been booted for and the -s flag to print the date and time the system booted up at:

$ uptime -p
$ uptime -s

Output:

print the date and time the system booted up at in ubuntu

Using Journalctl COmmand

The journalctl command in Linux is used to query the system journal, which you can use to display the system logs for more information, such as the number of times the system has been booted.

$ journalctl --list-boot

Output:

list the number of times system booted in ubuntu

To get more detailed information from the above list of BOOT IDs, you can specify them with the -b flag.

$ journalctl -b <boot_id>

Output:

List Ubuntu’s Last Reboots

Find out Who/What Caused a Shutdown/Reboot

On a server, it might occur that the desired instance has been shut down or rebooted unexpectedly. In such cases, you may need to investigate the cause and find out if anyone is responsible. You can do this using the following command:

Ezoic

📝 Note

To achieve the same outcome, you can use the last -x command, but I favor this approach as it offers more information.

$ sudo journalctl | grep shutdown

Output:

Ezoic
check who shutdown or rebooted the system in ubuntu

The first entry in the output above indicates that someone initiated the shutdown; now you can use the other method explained in this article to pinpoint the culprit.

Wrap Up

In this article, you've learned how to check user login, when the system has been shutdown and rebooted, and who or what is behind it.

If you have any questions regarding the topic, feel free to ask them in the comments.