Search Posts on Binpipe Blog

PSACCT in Linux : User & Process History Tracking

One of my friends wanted to log the activity of an user in a Linux Server including other details like PTS / TTY the user logged in from, the logon times and the commands the user ran throughout the session. To begin with, I thought I should be logging the 'History' user-wise and with timestamps. But that didn't help much because we did not have a single interface from where we could monitor various users at the same time. Another problem was that,  the users' login times and terminals will not be simultaneously displayed. We will have to use separate commands like 'last' to get hold of that data. The second line of thought was to redirect all the .bash_history data for all users to 'syslog' but even that turned out to be too complex.

Finally, looking for a better and easier solution, I stumbled upon a toolset package called PSACCT (Process Accounting) . PSACCT can be used to log user activity in detail. Process accounting allows to view every command executed by a user including CPU and memory consumption data. With process accounting a system Admin can find out which command executed at what time

 

The psacct package contains many tools for monitoring process activities. These are: ac, lastcomm, accton and sa.

 

·         The ac command displays statistics about how long users have been logged on.

·         The lastcomm command displays information about previous executed commands.

·         The accton command turns process accounting on or off.

·         The sa command summarizes information about previously executed commmands.

 

Installing 'psacct' or 'acct' in Linux

psacct or acct both are the same sofwares except that the psacct package is only available for rpm based distributions such as RHEL, CentOS and Fedora, whereas acct package is available for distributions like Ubuntu, Debian based Operating Systems.

 

To install psacct package under rpm based distributions issue the following yum command.

 

# yum install psacct

To install acct package using apt-get command under Ubuntu / Debian OS's -

$ sudo apt-get install acct

OR

# apt-get install acct

 

Starting psacct or acct service

By default psacct service is in disabled mode and you need to start it manually underRHEL/CentOS/Fedora systems. Use the following command to check the status of service.

# /etc/init.d/psacct status

Process accounting is disabled.

You see the status showing as disabled, so let's start it manually using the following both commands. These two commands will create a /var/account/pacct file and start services.

# chkconfig psacct on

# /etc/init.d/psacct start

Starting process accounting:                               [  OK  ]

After starting service, check the status again, you will get status as enabled as shown below.

# /etc/init.d/psacct status

Process accounting is enabled.

Under Ubuntu, Debian and Mint service is started automatically, you don't need to start it again.

 

List Last Executed Commands of User

The 'lastcomm' command is used to search and display previously executed user commands information. You can also search commands of individual usernames. For example, we see commands of user (binpipe).

Please read the lastcomm man page for other details and command switches.

# lastcomm binpipe

su                      binpipe  pts/0      0.00 secs Wed April 13 15:56

ls                      binpipe  pts/0      0.00 secs Wed April 13 15:56

ls                      binpipe  pts/0      0.00 secs Wed April 13 15:56

ls                      binpipe  pts/0      0.00 secs Wed April 13 15:56

bash               F    binpipe  pts/0      0.00 secs Wed April 13 15:56

id                      binpipe  pts/0      0.00 secs Wed April 13 15:56

grep                    binpipe  pts/0      0.00 secs Wed April 13 15:56

grep                    binpipe  pts/0      0.00 secs Wed April 13 15:56

bash               F    binpipe  pts/0      0.00 secs Wed April 13 15:56

dircolors               binpipe  pts/0      0.00 secs Wed April 13 15:56

bash               F    binpipe  pts/0      0.00 secs Wed April 13 15:56

tput                    binpipe  pts/0      0.00 secs Wed April 13 15:56

tty                     binpipe  pts/0      0.00 secs Wed April 13 15:56

bash               F    binpipe  pts/0      0.00 secs Wed April 13 15:56

id                      binpipe  pts/0      0.00 secs Wed April 13 15:56

bash               F    binpipe  pts/0      0.00 secs Wed April 13 15:56

id                      binpipe  pts/0      0.00 secs Wed April 13 15:56

Search Logs for Commands

With the help of the lastcomm command you will be able to view individual use of an each commands.

# lastcomm ls

ls                      binpipe  pts/0      0.00 secs Wed April 13 15:56

ls                      binpipe  pts/0      0.00 secs Wed April 13 15:56

ls                      binpipe  pts/0      0.00 secs Wed April 13 15:56

 

Display Statistics of Users Connect Time

ac command without specifying any argument will displays total statistics of connect time in hours based on the user logins/logouts from the current wtmp file.

# ac

total     1814.03

 

Display Statistics of Users Day-wise

Using command "ac -d" will prints out the total login time in hours by day-wise.

# ac -d

April 17  total        5.23

April 18  total       15.20

April 24  total        3.21

April 25  total        2.27

April 26  total        2.64

April 27  total        6.19

March  1  total        6.41

March  3  total        2.42

March  4  total        2.52

March  5  total        6.11

March  8  total       12.98

March  9  total       22.65

March 11  total       16.18

Display Time Totals for each User

Using command "ac -p" will print the total login time of each user in hours.

# ac -p

        root                              1645.18

        binpipe                            168.96

        total     1814.14

Display Individual User Time

To get the total login statistics time of user "binpipe" in hours, use the command as.

# ac binpipe

 total      168.96

Display Day-Wise Logn Time of User

The following command will prints the day-wise total login time of user "binpipe" in hours.

# ac -d binpipe

March 11  total        8.01

March 12  total       24.00

March 15  total       70.50

March 16  total       23.57

March 17  total       24.00

March 18  total       18.70

Nov 20  total        0.18

Print All Account Activity Information

The "sa" command is used to print the summary of commands that were executed by users.

# sa

       2       9.86re       0.00cp     2466k   sshd*

       8       1.05re       0.00cp     1064k   man

       2      10.08re       0.00cp     2562k   sshd

      12       0.00re       0.00cp     1298k   psacct

       2       0.00re       0.00cp     1575k   troff

      14       0.00re       0.00cp      503k   ac

      10       0.00re       0.00cp     1264k   psacct*

      10       0.00re       0.00cp      466k   consoletype

       9       0.00re       0.00cp      509k   sa

       8       0.02re       0.00cp      769k   udisks-helper-a

       6       0.00re       0.00cp     1057k   touch

       6       0.00re       0.00cp      592k   gzip

       6       0.00re       0.00cp      465k   accton

       4       1.05re       0.00cp     1264k   sh*

       4       0.00re       0.00cp     1264k   nroff*

       2       1.05re       0.00cp     1264k   sh

       2       1.05re       0.00cp     1120k   less

       2       0.00re       0.00cp     1346k   groff

       2       0.00re       0.00cp     1383k   grotty

       2       0.00re       0.00cp     1053k   mktemp

       2       0.00re       0.00cp     1030k   iconv

       2       0.00re       0.00cp     1023k   rm

       2       0.00re       0.00cp     1020k   cat

       2       0.00re       0.00cp     1018k   locale

       2       0.00re       0.00cp      802k   gtbl

Where

o    9.86re is a "real time" as per wall clock minutes

o    0.01cp is a sum of system/user time in cpu minutes

o    2466k is a cpu-time averaged core usage, i.e. 1k units

o    sshd command name

Print Individual User Information

To get the information of individual user, use the options -u.

# sa -u

root       0.00 cpu      465k mem accton

root       0.00 cpu     1057k mem touch

root       0.00 cpu     1298k mem psacct

root       0.00 cpu      466k mem consoletype

root       0.00 cpu     1264k mem psacct           *

root       0.00 cpu     1298k mem psacct

root       0.00 cpu      466k mem consoletype

root       0.00 cpu     1264k mem psacct           *

root       0.00 cpu     1298k mem psacct

root       0.00 cpu      466k mem consoletype

root       0.00 cpu     1264k mem psacct           *

root       0.00 cpu      465k mem accton

root       0.00 cpu     1057k mem touch

Print Number of Processes

This command prints the total number of processes and CPU minutes. If you see continue increase in these numbers, then its time to look into the system about what is happening.

# sa -m

sshd                                    2       9.86re       0.00cp     2466k

root                                  127      14.29re       0.00cp      909k

Print Sort by Percentage

The command "sa -c" displays the highest percentage of users.

# sa -c

 132  100.00%      24.16re  100.00%       0.01cp  100.00%      923k

       2    1.52%       9.86re   40.83%       0.00cp   53.33%     2466k   sshd*

       8    6.06%       1.05re    4.34%       0.00cp   20.00%     1064k   man

       2    1.52%      10.08re   41.73%       0.00cp   13.33%     2562k   sshd

      12    9.09%       0.00re    0.01%       0.00cp    6.67%     1298k   psacct

       2    1.52%       0.00re    0.00%       0.00cp    6.67%     1575k   troff

      18   13.64%       0.00re    0.00%       0.00cp    0.00%      509k   sa

      14   10.61%       0.00re    0.00%       0.00cp    0.00%      503k   ac

      10    7.58%       0.00re    0.00%       0.00cp    0.00%     1264k   psacct*

      10    7.58%       0.00re    0.00%       0.00cp    0.00%      466k   consoletype

       8    6.06%       0.02re    0.07%       0.00cp    0.00%      769k   udisks-helper-a

       6    4.55%       0.00re    0.00%       0.00cp    0.00%     1057k   touch

       6    4.55%       0.00re    0.00%       0.00cp    0.00%      592k   gzip

       6    4.55%       0.00re    0.00%       0.00cp    0.00%      465k   accton

       4    3.03%       1.05re    4.34%       0.00cp    0.00%     1264k   sh*

       4    3.03%       0.00re    0.00%       0.00cp    0.00%     1264k   nroff*

       2    1.52%       1.05re    4.34%       0.00cp    0.00%     1264k   sh

       2    1.52%       1.05re    4.34%       0.00cp    0.00%     1120k   less

       2    1.52%       0.00re    0.00%       0.00cp    0.00%     1346k   groff

       2    1.52%       0.00re    0.00%       0.00cp    0.00%     1383k   grotty

       2    1.52%       0.00re    0.00%       0.00cp    0.00%     1053k   mktemp