How can I monitor user activities with psacct or acct tools?

BKJIA quick translation: I use this program in my own company. In our development team, developers constantly need to work on servers. So this is one of the best programs to closely monitor them. This program provides an excellent method, it is easy to monitor what users are doing, what commands they are starting and running, how many resources they are using, and how long the users are active on the system. Another outstanding feature of this program is that it displays the total resources used by services such as Apache, MySQL, FTP, and SSH.

Monitors Linux User Activities

In my opinion, for every Linux/Unix system administrator who wants to closely monitor user activity on his server/system, psacct or acct is one of the best and essential applications.

The psacct or acct package provides several features for monitoring process activity.

• The ac command outputs the user's logon/logout time, several hours) statistics.
• The lastcomm command outputs the information of the commands previously executed by the user.
• The accton command is used to enable/disable the process accounting mechanism process accounting ).
• The sa command is used to describe the information of the previously executed commands.
• The last and lastb commands show the list of recently logged-on users.

Install the psacct or acct package

Psacct and acct are similar packages. There is no big difference between the two, but psacct packages are only applicable to rpm-based releases, such as RHEL, CentOS, and Fedora; the acct package is applicable to releases such as Ubuntu, Debian, and Linux Mint.

To install the psacct package in an rpm-based release, run the following yum command.

# yum install psacct
 

To install the acct package in Ubuntu/Debian/Linux Mint, use the apt-get command.

$ sudo apt-get install acct
 

Or

# apt-get install acctStarting psacct or acct service
 

By default, the psacct service is disabled. You need to manually enable the Service in the RHEL/CentOS/Fedora system. Run the following command to check the service status.

# /etc/init.d/psacct statusProcess accounting is disabled.

You can see that the status is disabled. You can use the following two commands to manually enable the service. These two commands create a/var/account/pacct file and enable the service.

# chkconfig psacct on # /etc/init.d/psacct start Starting process accounting: [ OK ]

After the service is enabled, check the status again. The status is enabled, as shown below.

# /etc/init.d/psacct statusProcess accounting is enabled.

In Ubuntu, Debian, and Mint systems, the service is automatically started and you do not need to start the service again.

Displays user connection time statistics

If no parameter is specified, the ac command displays the total statistics of the connection time hour based on the user logon/exit from the current wtmp file.

# actotal     1814.03

Displays daily user statistics

Use the ac-d command to output the total logon time per day (hours ).

# ac -dSep 17  total        5.23Sep 18  total       15.20Sep 24  total        3.21Sep 25  total        2.27Sep 26  total        2.64Sep 27  total        6.19Oct  1  total        6.41Oct  3  total        2.42Oct  4  total        2.52Oct  5  total        6.11Oct  8  total       12.98Oct  9  total       22.65Oct 11  total       16.18

Display the total time of each user

Use the ac-p command to display the total logon time of each user in hours ).

# ac -proot                              1645.18tecmint                            168.96total     1814.14

Show time of a single user

If you want to obtain the total logon statistical hours of the user named tecmint, use the following command.

# ac tecminttotal      168.96

Displays the daily logon time of a user.

The following command outputs the total daily Logon Time of the user tecmint ).

# ac -d tecmintOct 11  total        8.01Oct 12  total       24.00Oct 15  total       70.50Oct 16  total       23.57Oct 17  total       24.00Oct 18  total       18.70Nov 20  total        0.18

Output all account activity information

Sa command is used to output the summary of the commands executed by users.

# sa2       9.86re       0.00cp     2466k   sshd*8       1.05re       0.00cp     1064k   man2      10.08re       0.00cp     2562k   sshd12       0.00re       0.00cp     1298k   psacct2       0.00re       0.00cp     1575k   troff14       0.00re       0.00cp      503k   ac10       0.00re       0.00cp     1264k   psacct*10       0.00re       0.00cp      466k   consoletype9       0.00re       0.00cp      509k   sa8       0.02re       0.00cp      769k   udisks-helper-a6       0.00re       0.00cp     1057k   touch6       0.00re       0.00cp      592k   gzip6       0.00re       0.00cp      465k   accton4       1.05re       0.00cp     1264k   sh*4       0.00re       0.00cp     1264k   nroff*2       1.05re       0.00cp     1264k   sh2       1.05re       0.00cp     1120k   less2       0.00re       0.00cp     1346k   groff2       0.00re       0.00cp     1383k   grotty2       0.00re       0.00cp     1053k   mktemp2       0.00re       0.00cp     1030k   iconv2       0.00re       0.00cp     1023k   rm2       0.00re       0.00cp     1020k   cat2       0.00re       0.00cp     1018k   locale2       0.00re       0.00cp      802k   gtbl

Where:

• 9.86re is "real time", in the unit of minutes.
• 0.01cp is the sum of system/user time in processor minutes.
• 2466k is the core of the average processor time, that is, 1 K Unit.
• Sshd command name

Output single user information

To obtain information about a single user, use the-u option.

# sa -uroot       0.00 cpu      465k mem acctonroot       0.00 cpu     1057k mem touchroot       0.00 cpu     1298k mem psacctroot       0.00 cpu      466k mem consoletyperoot       0.00 cpu     1264k mem psacct           *root       0.00 cpu     1298k mem psacctroot       0.00 cpu      466k mem consoletyperoot       0.00 cpu     1264k mem psacct           *root       0.00 cpu     1298k mem psacctroot       0.00 cpu      466k mem consoletyperoot       0.00 cpu     1264k mem psacct           *root       0.00 cpu      465k mem acctonroot       0.00 cpu     1057k mem touch

Number of Output Processes

The total number of Output Processes and the total number of processor minutes. If you see these numbers increasing, you need to check the system and analyze what is happening.

# sa -msshd                                    2       9.86re       0.00cp     2466kroot                                  127      14.29re       0.00cp      909k

Sort output by percentage

The sa-c command shows the highest percentage of users.

# sa -c132  100.00%      24.16re  100.00%       0.01cp  100.00%      923k2    1.52%       9.86re   40.83%       0.00cp   53.33%     2466k   sshd*8    6.06%       1.05re    4.34%       0.00cp   20.00%     1064k   man2    1.52%      10.08re   41.73%       0.00cp   13.33%     2562k   sshd12    9.09%       0.00re    0.01%       0.00cp    6.67%     1298k   psacct2    1.52%       0.00re    0.00%       0.00cp    6.67%     1575k   troff18   13.64%       0.00re    0.00%       0.00cp    0.00%      509k   sa14   10.61%       0.00re    0.00%       0.00cp    0.00%      503k   ac10    7.58%       0.00re    0.00%       0.00cp    0.00%     1264k   psacct*10    7.58%       0.00re    0.00%       0.00cp    0.00%      466k   consoletype8    6.06%       0.02re    0.07%       0.00cp    0.00%      769k   udisks-helper-a6    4.55%       0.00re    0.00%       0.00cp    0.00%     1057k   touch6    4.55%       0.00re    0.00%       0.00cp    0.00%      592k   gzip6    4.55%       0.00re    0.00%       0.00cp    0.00%      465k   accton4    3.03%       1.05re    4.34%       0.00cp    0.00%     1264k   sh*4    3.03%       0.00re    0.00%       0.00cp    0.00%     1264k   nroff*2    1.52%       1.05re    4.34%       0.00cp    0.00%     1264k   sh2    1.52%       1.05re    4.34%       0.00cp    0.00%     1120k   less2    1.52%       0.00re    0.00%       0.00cp    0.00%     1346k   groff2    1.52%       0.00re    0.00%       0.00cp    0.00%     1383k   grotty2    1.52%       0.00re    0.00%       0.00cp    0.00%     1053k   mktempList

Recent commands executed by the user

The latcomm command is used to search for and display information about the previously executed USER commands. You can also search for commands for a single user name. For example, we can see the Command executed by the user tecmint:

# lastcomm tecmintsu                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56id                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56grep                    tecmint  pts/0      0.00 secs Wed Feb 13 15:56grep                    tecmint  pts/0      0.00 secs Wed Feb 13 15:56bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56dircolors                tecmint  pts/0      0.00 secs Wed Feb 13 15:56bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56tput                    tecmint  pts/0      0.00 secs Wed Feb 13 15:56tty                     tecmint  pts/0      0.00 secs Wed Feb 13 15:56bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56id                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56id                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56

SEARCH command logs

With the help of the lastcomm command, you can view the individual usage of each command.

# lastcomm lsls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56