Monitoring Users Activity Using psacct or acct Tools in Linux

By
SK

If you have lot of developers or programmers who access your servers frequently in your company and if you wanna to keep an eye on what data they are accessing, what commands they are issuing, how long they have been accessing servers and how much system resources are consumed by them, then psacct or acct are the tools that you should have. Already we have covered some topics about monitoring tools such as Nagios and Cacti.

Monitoring-user-activity

Both psacct and acct are similar tools whereas psacct is available for RPM based systems and acct is available for DEB based systems.

Install psacct/acct

To install psacct under RPM based distributions, enter the following command:

[root@server ~]# yum install psacct -y

To install acct under DEB based systems, enter the following command:

sk@sk:~$ sudo apt-get install acct

After installing psacct or acct, start the services. You don’t need to start acct under Debian based systems. It will automatically start after installing it:

[root@server ~]# /etc/init.d/psacct start
Starting process accounting:                               [  OK  ]
[root@server ~]# chkconfig psacct on

Usage of psacct or acct

Let us see some examples of using psacct or acct tools.

Displaying total statistics of connect time of users

The ac command will show you the total connect time of users in hours:

[root@server ~]# ac
total       27.99

Displaying Day-wise user statistics

The following command will show you the statistics of users in day-wise in hours:

[root@server ~]# ac -d
Mar 12    total        0.87
Mar 14    total        0.10
May  5    total        16.45
May  6    total        2.25
May  7    total        3.77
May  8    total        4.02
Today    total         0.62

Displaying total login statistics of each user

The following command will show you the total login time each user in hours:

[root@server ~]# ac -p
root       28.09
total       28.09

Displaying Individual users statistics

The following command will show you the total login time of a particular user called sk in hours:

sk@sk:~$ ac sk
total       24.28

Displaying day-wise login statistics of a particular user

The following command will show you the login statistics of a particular user called sk:

sk@sk:~$ ac -d sk
May  1    total        1.24
May  2    total        2.19
May  3    total        1.11
May  4    total        1.11
May  5    total        3.10
May  6    total        1.95
May  7    total        5.10
May  8    total        5.15
Today    total        3.42

Printing all Users activities

The sa command is used to display all the commands executed by the users:

[root@server ~]# sa
    1209  204132.34re       0.67cp      700k
       6       2.16re       0.36cp    12405k   php
     327       0.30re       0.10cp      593k   gzip
     345       1.82re       0.06cp      746k   sh
      42       1.01re       0.05cp      701k   awk
     327       0.29re       0.03cp      519k   iconv
      27       0.15re       0.03cp     1142k   perl
      12  204124.35re       0.01cp      722k   ***other*
      40       0.03re       0.01cp      653k   find
       3       0.79re       0.00cp     2310k   rrdtool
       3       0.01re       0.00cp      699k   ps
      13       0.02re       0.00cp      570k   grep
      12       0.01re       0.00cp      517k   df
       7       0.01re       0.00cp      509k   cat
       3       1.35re       0.00cp     1490k   crond*
       3       0.00re       0.00cp      533k   uptime
       3       0.00re       0.00cp      523k   who
       3       0.00re       0.00cp      504k   ac
       2       0.01re       0.00cp      666k   logrotate
      10       0.00re       0.00cp      747k   makewhatis*
       2       0.00re       0.00cp      555k   sed
       5       0.00re       0.00cp      503k   basename
       3       0.00re       0.00cp      509k   tr
       4       0.00re       0.00cp      500k   logger
       3       0.00re       0.00cp      512k   rm
       2       0.00re       0.00cp      746k   makewhatis.cron*
       2       0.00re       0.00cp      802k   touch

Printing individual users activity

The following command will show you the activities of root user:

sk@sk:~$ sa -u
root       0.00 cpu     1042k mem      0 io accton          
root       0.00 cpu     1100k mem      0 io acct            
root       0.00 cpu     1100k mem      0 io invoke-rc.d     
root       0.00 cpu     1100k mem      0 io acct.postinst   
root       0.00 cpu     1100k mem      0 io ureadahead.post 
root       0.09 cpu     8144k mem      0 io dpkg            
root       0.00 cpu     6666k mem      0 io touch           
root       0.00 cpu     1100k mem      0 io sh              
root       0.00 cpu    25312k mem      0 io apt-get         *
root       0.00 cpu     6988k mem      0 io dpkg            
root       0.00 cpu     6988k mem      0 io dpkg            
root       0.00 cpu     6988k mem      0 io dpkg            
root       1.24 cpu    14010k mem      0 io apt-get         
root       0.00 cpu     5604k mem      0 io rm              
root       0.00 cpu     1100k mem      0 io sh              
root       0.03 cpu    11518k mem      0 io sudo            
sk         0.08 cpu    11752k mem      0 io lsb_release     
sk         0.00 cpu     6988k mem      0 io dpkg            
sk         0.00 cpu     6988k mem      0 io dpkg            
sk         0.00 cpu     6988k mem      0 io dpkg            
sk         0.00 cpu     6988k mem      0 io dpkg            
root       0.00 cpu        0k mem      0 io kworker/1:0     *

Printing number of Processes

The following command will show the total number of processes and CPU minutes. If you see the increase in these numbers, you should look in to systems to find out what is happening:

sk@sk:~$ sa -m
                                       59     214.15re       0.06cp         0avio      4923k
sk                                     24       3.06re       0.04cp         0avio      7515k
root                                   35     211.09re       0.02cp         0avio      3145k

Printing sort by percentage

The following command will show you the highest percentage of users:

sk@sk:~$ sa -c
      62  100.00%     224.18re  100.00%       0.06cp  100.00%         0avio      4787k
      19   30.65%     103.84re   46.32%       0.06cp   96.42%         0avio     10144k   ***other*
       8   12.90%       0.02re    0.01%       0.00cp    2.48%         0avio      7132k   dpkg
       3    4.84%       0.00re    0.00%       0.00cp    1.10%         0avio      4825k   unix_chkpwd
       6    9.68%      60.16re   26.84%       0.00cp    0.00%         0avio         0k   kworker/1:0*
       6    9.68%      60.16re   26.84%       0.00cp    0.00%         0avio         0k   kworker/1:2*
       5    8.06%       0.00re    0.00%       0.00cp    0.00%         0avio      1100k   sh
       4    6.45%       0.00re    0.00%       0.00cp    0.00%         0avio      2663k   sa
       4    6.45%       0.00re    0.00%       0.00cp    0.00%         0avio      1079k   ac
       3    4.84%       0.00re    0.00%       0.00cp    0.00%         0avio      1100k   acct
       2    3.23%       0.00re    0.00%       0.00cp    0.00%         0avio      3344k   rm
       2    3.23%       0.00re    0.00%       0.00cp    0.00%         0avio      1042k   accton

Listing last executed commands

The lastcomm command will show you the list of last commands executed by users:

[root@server ~]# lastcomm 
gzip                    root     __         0.02 secs Thu May  9 09:33
sh                      root     __         0.01 secs Thu May  9 09:33
iconv                   root     __         0.00 secs Thu May  9 09:33
gzip                    root     __         0.02 secs Thu May  9 09:33
sh                      root     __         0.01 secs Thu May  9 09:33
gzip                    root     __         0.01 secs Thu May  9 09:33
iconv                   root     __         0.00 secs Thu May  9 09:33
sh                      root     __         0.01 secs Thu May  9 09:33
gzip                    root     __         0.01 secs Thu May  9 09:33
iconv                   root     __         0.00 secs Thu May  9 09:33
sh                      root     __         0.01 secs Thu May  9 09:33
iconv                   root     __         0.00 secs Thu May  9 09:33
gzip                    root     __         0.01 secs Thu May  9 09:33
sh                      root     __         0.01 secs Thu May  9 09:33
iconv                   root     __         0.00 secs Thu May  9 09:33
gzip                    root     __         0.02 secs Thu May  9 09:33
sh                      root     __         0.01 secs Thu May  9 09:33
iconv                   root     __         0.01 secs Thu May  9 09:33
gzip                    root     __         0.03 secs Thu May  9 09:33
sh                      root     __         0.01 secs Thu May  9 09:33
gzip                    root     __         0.02 secs Thu May  9 09:33
iconv                   root     __         0.01 secs Thu May  9 09:33
sh                      root     __         0.01 secs Thu May  9 09:33
gzip                    root     __         0.02 secs Thu May  9 09:33
iconv                   root     __         0.00 secs Thu May  9 09:33
sh                      root     __         0.01 secs Thu May  9 09:33
iconv                   root     __         0.00 secs Thu May  9 09:33

To see the list of last commands executed by a particular user called sk, enter the following command:

sk@sk:~$ lastcomm sk
lastcomm               sk       pts/2      0.00 secs Thu May  9 09:54
sa                     sk       pts/2      0.00 secs Thu May  9 09:52
sa                     sk       pts/2      0.00 secs Thu May  9 09:52
sa                     sk       pts/2      0.00 secs Thu May  9 09:47
sa                     sk       pts/2      0.00 secs Thu May  9 09:47
sa                     sk       pts/2      0.00 secs Thu May  9 09:39
ac                     sk       pts/2      0.00 secs Thu May  9 09:36
ac                     sk       pts/2      0.00 secs Thu May  9 09:34
ac                     sk       pts/2      0.00 secs Thu May  9 09:31
ac                     sk       pts/2      0.00 secs Thu May  9 09:25
sh                     sk       __         0.00 secs Thu May  9 09:09
grep                   sk       __         0.00 secs Thu May  9 09:09
ps                     sk       __         0.01 secs Thu May  9 09:09
unix_chkpwd            sk       __         0.00 secs Thu May  9 09:07
unix_chkpwd            sk       __         0.02 secs Thu May  9 09:07
unix_chkpwd            sk       __         0.02 secs Thu May  9 09:07
xscreensaver-co        sk       __         0.00 secs Thu May  9 08:57
plugin-containe        sk       __         0.06 secs Thu May  9 08:52
acct                   sk       pts/2      0.00 secs Thu May  9 08:55
logger                 sk       pts/2      0.00 secs Thu May  9 08:55
accton                 sk       pts/2      0.00 secs Thu May  9 08:55
acct                   sk       pts/2      0.00 secs Thu May  9 08:55
apt-check              sk       __         1.98 secs Thu May  9 08:54
dpkg                   sk       __         0.00 secs Thu May  9 08:54
dpkg                   sk       __         0.00 secs Thu May  9 08:54

Searching logs of a particular command

The following command will show you the particular usage of a command by users:

sk@sk:~$ lastcomm ac
ac                     sk       pts/2      0.00 secs Thu May  9 09:36
ac                     sk       pts/2      0.00 secs Thu May  9 09:34
ac                     sk       pts/2      0.00 secs Thu May  9 09:31
ac                     sk       pts/2      0.00 secs Thu May  9 09:25

That’s it! Happy Monitoring.