Monitor User Activities

psacct or acct both are similar packages and there is not much difference between them, but the psacct package only available for rpm based distributions such as RHEL, CentOS and Fedora, whereas acct package available for distributions like Ubuntu, Debian and Linux Mint.

[root@localhost ~]# yum provides psacct
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: centos.webwerks.com
* extras: centos.webwerks.com
* updates: centos.excellmedia.net
psacct-6.3.2-63.el6_3.3.x86_64 : Utilities for monitoring process activities
Repo        : base
Matched from:
psacct-6.3.2-63.el6_3.3.x86_64 : Utilities for monitoring process activities
Repo        : installed
Matched from:
Other       : Provides-match: psacct

[root@localhost ~]# yum install psacct
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: centos.webwerks.com
* extras: centos.webwerks.com
* updates: centos.excellmedia.net
Package psacct-6.3.2-63.el6_3.3.x86_64 already installed and latest version
Nothing to do
[root@localhost ~]# service psacct status
Process accounting is disabled.
[root@localhost ~]# service psacct start
Starting process accounting:                               [  OK  ]

ac command without specifying any argument will displays total statistics of connect time in hours based on the user logins/logouts from the current wtmp file.
[root@localhost ~]# ac
total        1.00

Using command “ac -d” will prints out the total login time in hours by day-wise.
[root@localhost ~]# ac -d
Apr 26 total        0.18
Today total        0.82

Using command “ac -p” will print the total login time of each user in hours.
[root@localhost ~]# ac -p
root                                 0.71
mohammedrafi                         0.30
total        1.01

                                    Display Day-Wise Logn Time of User

[root@localhost ~]# ac -d mohammedrafi
Today total        0.30

[root@localhost ~]# sa
378 2391803.60re       0.01cp     8610k
11 2391801.90re       0.00cp    23870k   ***other*
6       0.00re       0.00cp    25248k   sadc
4       0.00re       0.00cp     1642k   lastcomm
7       0.01re       0.00cp    29216k   crond*
5       0.00re       0.00cp    27152k   00-netreport
5       0.85re       0.00cp    13038k   nm-dispatcher.a
3       0.00re       0.00cp     1370k   sa
243       0.83re       0.00cp     5602k   tpvmlp*
7       0.00re       0.00cp     4246k   unix_chkpwd
2       0.00re       0.00cp    25216k   logger
15       0.00re       0.00cp    19035k   00-netreport*
15       0.00re       0.00cp     2835k   10-dhclient*
13       0.00re       0.00cp    26304k   date
6       0.00re       0.00cp    25232k   cat
5       0.00re       0.00cp     8028k   dbus-daemon*
5       0.00re       0.00cp     5098k   nm-dhcp-client.
5       0.00re       0.00cp     2834k   10-dhclient
5       0.00re       0.00cp     2834k   05-netfs
5       0.00re       0.00cp     1611k   grep
5       0.00re       0.00cp      981k   consoletype
4       0.00re       0.00cp     1018k   ac
2       0.00re       0.00cp    25232k   basename

Where
0.06re is a “real time” as per wall clock minutes
0.00cp is a sum of system/user time in cpu minutes
7250k is a cpu-time averaged core usage, i.e. 1k units
ac command name

[root@localhost ~]# sa -u
root       0.00 cpu      981k mem accton
root       0.00 cpu    26288k mem touch
root       0.02 cpu    27120k mem psacct
root       0.02 cpu    26592k mem service
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     1018k mem ac
root       0.00 cpu     1018k mem ac
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     1018k mem ac
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     1018k mem ac
root       0.00 cpu     5602k mem tpvmlp           *
root       0.00 cpu     1019k mem sa
root       0.00 cpu     5602k mem tpvmlp           *

[root@localhost ~]# lastcomm root
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:26
lastcomm                root     pts/0      0.03 secs Wed Apr 27 22:26
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:26
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:25
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:25
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:25
sa                      root     pts/0      0.02 secs Wed Apr 27 22:25
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:25
sa                      root     pts/0      0.00 secs Wed Apr 27 22:24
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:24
ac                      root     pts/0      0.00 secs Wed Apr 27 22:24
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:24
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:24
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:24
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:23
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:23
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:23
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:23
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:22
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:22
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:22
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:22
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:21
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:21
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:21
ac                      root     pts/0      0.00 secs Wed Apr 27 22:21
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:21
ac                      root     pts/0      0.00 secs Wed Apr 27 22:21
ac                      root     pts/0      0.00 secs Wed Apr 27 22:20
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:20
tpvmlp            SF    root     __         0.00 secs Wed Apr 27 22:20
service                 root     pts/0      0.02 secs Wed Apr 27 22:20
psacct                  root     pts/0      0.02 secs Wed Apr 27 22:20
touch                   root     pts/0      0.00 secs Wed Apr 27 22:20
accton            S     root     pts/0      0.00 secs Wed Apr 27 22:20

The ‘lastcomm‘ command is used to search and display previously executed user commands information. You can also search commands of individual usernames.

[root@localhost ~]# lastcomm ls
[root@localhost ~]# ls -l
total 96
-rw——-. 1 root root  3346 Apr 26 07:05 anaconda-ks.cfg
drwxr-xr-x. 2 root root  4096 Apr 26 01:38 Desktop
drwxr-xr-x. 2 root root  4096 Apr 26 01:38 Documents
drwxr-xr-x. 2 root root  4096 Apr 26 01:38 Downloads
-rw-r–r–. 1 root root 41800 Apr 26 07:04 install.log
-rw-r–r–. 1 root root  9154 Apr 26 07:02 install.log.syslog
drwxr-xr-x. 2 root root  4096 Apr 26 01:38 Music
drwxr-xr-x. 2 root root  4096 Apr 26 01:38 Pictures
drwxr-xr-x. 2 root root  4096 Apr 26 01:38 Public
drwxr-xr-x. 2 root root  4096 Apr 26 01:38 Templates
drwxr-xr-x. 2 root root  4096 Apr 26 01:38 Videos

[root@localhost ~]# lastcomm ls
ls                      root     pts/0      0.02 secs Wed Apr 27 22:29

[root@localhost ~]# lastcomm mohammedrafi
[root@localhost ~]# su – mohammedrafi
[mohammedrafi@localhost ~]$ pwd
/home/mohammedrafi
[mohammedrafi@localhost ~]$ logout
[root@localhost ~]# lastcomm mohammedrafi
bash              S     mohammed pts/0      0.01 secs Wed Apr 27 23:27
bash               F    mohammed pts/0      0.00 secs Wed Apr 27 23:27
id                      mohammed pts/0      0.00 secs Wed Apr 27 23:27
bash               F    mohammed pts/0      0.00 secs Wed Apr 27 23:27
consoletype             mohammed pts/0      0.00 secs Wed Apr 27 23:27
grep                    mohammed pts/0      0.00 secs Wed Apr 27 23:27
bash               F    mohammed pts/0      0.00 secs Wed Apr 27 23:27
dircolors               mohammed pts/0      0.00 secs Wed Apr 27 23:27
bash               F    mohammed pts/0      0.00 secs Wed Apr 27 23:27
tput                    mohammed pts/0      0.00 secs Wed Apr 27 23:27
tty                     mohammed pts/0      0.00 secs Wed Apr 27 23:27
bash               F    mohammed pts/0      0.00 secs Wed Apr 27 23:27
id                      mohammed pts/0      0.00 secs Wed Apr 27 23:27
bash               F    mohammed pts/0      0.00 secs Wed Apr 27 23:27
id                      mohammed pts/0      0.00 secs Wed Apr 27 23:27
bash               F    mohammed pts/0      0.00 secs Wed Apr 27 23:27
hostname                mohammed pts/0      0.00 secs Wed Apr 27 23:27
bash               F    mohammed pts/0      0.00 secs Wed Apr 27 23:27
id                      mohammed pts/0      0.00 secs Wed Apr 27 23:27

This command prints the total number of processes and CPU minutes. If you see continue increase in these numbers, then its time to look into the system about what is happening.
[root@localhost ~]# sa -m
                                      446 2391804.04re       0.01cp     8398k
root                                  420       2.09re       0.01cp     8420k
postfix                                 1 2391801.86re       0.00cp    20240k
mohammedrafi                           19       0.09re       0.00cp     7398k
dbus                                    6       0.00re       0.00cp     8028k
The command “sa -c” displays the highest percentage of users.
[root@localhost ~]# sa -c
     449  100.00% 2391804.05re  100.00%       0.01cp  100.00%     8370k
      17    3.79% 2391802.08re  100.00%       0.00cp   32.00%    19346k   ***other*
       6    1.34%       0.00re    0.00%       0.00cp   20.00%    25248k   sadc
       8    1.78%       0.00re    0.00%       0.00cp   16.00%     1642k   lastcomm
       7    1.56%       0.01re    0.00%       0.00cp   10.00%    29216k   crond*
       6    1.34%       0.00re    0.00%       0.00cp    8.00%    27152k   00-netreport
       6    1.34%       1.02re    0.00%       0.00cp    4.00%    13038k   nm-dispatcher.a
       5    1.11%       0.00re    0.00%       0.00cp    4.00%     1335k   sa
     273   60.80%       0.93re    0.00%       0.00cp    2.00%     5602k   tpvmlp*
       7    1.56%       0.00re    0.00%       0.00cp    2.00%     4246k   unix_chkpwd
       2    0.45%       0.00re    0.00%       0.00cp    2.00%    25216k   logger
      18    4.01%       0.00re    0.00%       0.00cp    0.00%    19035k   00-netreport*
      18    4.01%       0.00re    0.00%       0.00cp    0.00%     2835k   10-dhclient*
      13    2.90%       0.00re    0.00%       0.00cp    0.00%    26304k   date
       8    1.78%       0.00re    0.00%       0.00cp    0.00%     8890k   bash*
       7    1.56%       0.00re    0.00%       0.00cp    0.00%    25232k   cat
       7    1.56%       0.00re    0.00%       0.00cp    0.00%     1611k   grep
       7    1.56%       0.00re    0.00%       0.00cp    0.00%      981k   consoletype
       6    1.34%       0.00re    0.00%       0.00cp    0.00%     8028k   dbus-daemon*
       6    1.34%       0.00re    0.00%       0.00cp    0.00%     5098k   nm-dhcp-client.
       6    1.34%       0.00re    0.00%       0.00cp    0.00%     2834k   10-dhclient
       6    1.34%       0.00re    0.00%       0.00cp    0.00%     2834k   05-netfs
       4    0.89%       0.00re    0.00%       0.00cp    0.00%     1018k   ac
       4    0.89%       0.00re    0.00%       0.00cp    0.00%     8525k   id
       2    0.45%       0.00re    0.00%       0.00cp    0.00%    25232k   basename
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s