If you have lot of developers or programmers who access your servers frequently in your company and if you wanna to keep an eye on what data they are accessing, what commands they are issuing, how long they have been accessing servers and how much system resources are consumed by them, then psacct or acct are the tools that you should have. Already we have covered some topics about monitoring tools such as Nagios and Cacti.
Both psacct and acct are similar tools whereas psacct is available for RPM based systems and acct is available for DEB based systems.
Install psacct/acct
To install psacct under RPM based distributions, enter the following command:
[root@server ~]# yum install psacct -y
To install acct under DEB based systems, enter the following command:
sk@sk:~$ sudo apt-get install acct
After installing psacct or acct, start the services. You don’t need to start acct under Debian based systems. It will automatically start after installing it:
[root@server ~]# /etc/init.d/psacct start Starting process accounting: [ OK ] [root@server ~]# chkconfig psacct on
Usage of psacct or acct
Let us see some examples of using psacct or acct tools.
Displaying total statistics of connect time of users
The ac command will show you the total connect time of users in hours:
[root@server ~]# ac total 27.99
Displaying Day-wise user statistics
The following command will show you the statistics of users in day-wise in hours:
[root@server ~]# ac -d Mar 12 total 0.87 Mar 14 total 0.10 May 5 total 16.45 May 6 total 2.25 May 7 total 3.77 May 8 total 4.02 Today total 0.62
Displaying total login statistics of each user
The following command will show you the total login time each user in hours:
[root@server ~]# ac -p root 28.09 total 28.09
Displaying Individual users statistics
The following command will show you the total login time of a particular user called sk in hours:
sk@sk:~$ ac sk total 24.28
Displaying day-wise login statistics of a particular user
The following command will show you the login statistics of a particular user called sk:
sk@sk:~$ ac -d sk May 1 total 1.24 May 2 total 2.19 May 3 total 1.11 May 4 total 1.11 May 5 total 3.10 May 6 total 1.95 May 7 total 5.10 May 8 total 5.15 Today total 3.42
Printing all Users activities
The sa command is used to display all the commands executed by the users:
[root@server ~]# sa 1209 204132.34re 0.67cp 700k 6 2.16re 0.36cp 12405k php 327 0.30re 0.10cp 593k gzip 345 1.82re 0.06cp 746k sh 42 1.01re 0.05cp 701k awk 327 0.29re 0.03cp 519k iconv 27 0.15re 0.03cp 1142k perl 12 204124.35re 0.01cp 722k ***other* 40 0.03re 0.01cp 653k find 3 0.79re 0.00cp 2310k rrdtool 3 0.01re 0.00cp 699k ps 13 0.02re 0.00cp 570k grep 12 0.01re 0.00cp 517k df 7 0.01re 0.00cp 509k cat 3 1.35re 0.00cp 1490k crond* 3 0.00re 0.00cp 533k uptime 3 0.00re 0.00cp 523k who 3 0.00re 0.00cp 504k ac 2 0.01re 0.00cp 666k logrotate 10 0.00re 0.00cp 747k makewhatis* 2 0.00re 0.00cp 555k sed 5 0.00re 0.00cp 503k basename 3 0.00re 0.00cp 509k tr 4 0.00re 0.00cp 500k logger 3 0.00re 0.00cp 512k rm 2 0.00re 0.00cp 746k makewhatis.cron* 2 0.00re 0.00cp 802k touch
Printing individual users activity
The following command will show you the activities of root user:
sk@sk:~$ sa -u root 0.00 cpu 1042k mem 0 io accton root 0.00 cpu 1100k mem 0 io acct root 0.00 cpu 1100k mem 0 io invoke-rc.d root 0.00 cpu 1100k mem 0 io acct.postinst root 0.00 cpu 1100k mem 0 io ureadahead.post root 0.09 cpu 8144k mem 0 io dpkg root 0.00 cpu 6666k mem 0 io touch root 0.00 cpu 1100k mem 0 io sh root 0.00 cpu 25312k mem 0 io apt-get * root 0.00 cpu 6988k mem 0 io dpkg root 0.00 cpu 6988k mem 0 io dpkg root 0.00 cpu 6988k mem 0 io dpkg root 1.24 cpu 14010k mem 0 io apt-get root 0.00 cpu 5604k mem 0 io rm root 0.00 cpu 1100k mem 0 io sh root 0.03 cpu 11518k mem 0 io sudo sk 0.08 cpu 11752k mem 0 io lsb_release sk 0.00 cpu 6988k mem 0 io dpkg sk 0.00 cpu 6988k mem 0 io dpkg sk 0.00 cpu 6988k mem 0 io dpkg sk 0.00 cpu 6988k mem 0 io dpkg root 0.00 cpu 0k mem 0 io kworker/1:0 *
Printing number of Processes
The following command will show the total number of processes and CPU minutes. If you see the increase in these numbers, you should look in to systems to find out what is happening:
sk@sk:~$ sa -m 59 214.15re 0.06cp 0avio 4923k sk 24 3.06re 0.04cp 0avio 7515k root 35 211.09re 0.02cp 0avio 3145k
Printing sort by percentage
The following command will show you the highest percentage of users:
sk@sk:~$ sa -c 62 100.00% 224.18re 100.00% 0.06cp 100.00% 0avio 4787k 19 30.65% 103.84re 46.32% 0.06cp 96.42% 0avio 10144k ***other* 8 12.90% 0.02re 0.01% 0.00cp 2.48% 0avio 7132k dpkg 3 4.84% 0.00re 0.00% 0.00cp 1.10% 0avio 4825k unix_chkpwd 6 9.68% 60.16re 26.84% 0.00cp 0.00% 0avio 0k kworker/1:0* 6 9.68% 60.16re 26.84% 0.00cp 0.00% 0avio 0k kworker/1:2* 5 8.06% 0.00re 0.00% 0.00cp 0.00% 0avio 1100k sh 4 6.45% 0.00re 0.00% 0.00cp 0.00% 0avio 2663k sa 4 6.45% 0.00re 0.00% 0.00cp 0.00% 0avio 1079k ac 3 4.84% 0.00re 0.00% 0.00cp 0.00% 0avio 1100k acct 2 3.23% 0.00re 0.00% 0.00cp 0.00% 0avio 3344k rm 2 3.23% 0.00re 0.00% 0.00cp 0.00% 0avio 1042k accton
Listing last executed commands
The lastcomm command will show you the list of last commands executed by users:
[root@server ~]# lastcomm gzip root __ 0.02 secs Thu May 9 09:33 sh root __ 0.01 secs Thu May 9 09:33 iconv root __ 0.00 secs Thu May 9 09:33 gzip root __ 0.02 secs Thu May 9 09:33 sh root __ 0.01 secs Thu May 9 09:33 gzip root __ 0.01 secs Thu May 9 09:33 iconv root __ 0.00 secs Thu May 9 09:33 sh root __ 0.01 secs Thu May 9 09:33 gzip root __ 0.01 secs Thu May 9 09:33 iconv root __ 0.00 secs Thu May 9 09:33 sh root __ 0.01 secs Thu May 9 09:33 iconv root __ 0.00 secs Thu May 9 09:33 gzip root __ 0.01 secs Thu May 9 09:33 sh root __ 0.01 secs Thu May 9 09:33 iconv root __ 0.00 secs Thu May 9 09:33 gzip root __ 0.02 secs Thu May 9 09:33 sh root __ 0.01 secs Thu May 9 09:33 iconv root __ 0.01 secs Thu May 9 09:33 gzip root __ 0.03 secs Thu May 9 09:33 sh root __ 0.01 secs Thu May 9 09:33 gzip root __ 0.02 secs Thu May 9 09:33 iconv root __ 0.01 secs Thu May 9 09:33 sh root __ 0.01 secs Thu May 9 09:33 gzip root __ 0.02 secs Thu May 9 09:33 iconv root __ 0.00 secs Thu May 9 09:33 sh root __ 0.01 secs Thu May 9 09:33 iconv root __ 0.00 secs Thu May 9 09:33
To see the list of last commands executed by a particular user called sk, enter the following command:
sk@sk:~$ lastcomm sk lastcomm sk pts/2 0.00 secs Thu May 9 09:54 sa sk pts/2 0.00 secs Thu May 9 09:52 sa sk pts/2 0.00 secs Thu May 9 09:52 sa sk pts/2 0.00 secs Thu May 9 09:47 sa sk pts/2 0.00 secs Thu May 9 09:47 sa sk pts/2 0.00 secs Thu May 9 09:39 ac sk pts/2 0.00 secs Thu May 9 09:36 ac sk pts/2 0.00 secs Thu May 9 09:34 ac sk pts/2 0.00 secs Thu May 9 09:31 ac sk pts/2 0.00 secs Thu May 9 09:25 sh sk __ 0.00 secs Thu May 9 09:09 grep sk __ 0.00 secs Thu May 9 09:09 ps sk __ 0.01 secs Thu May 9 09:09 unix_chkpwd sk __ 0.00 secs Thu May 9 09:07 unix_chkpwd sk __ 0.02 secs Thu May 9 09:07 unix_chkpwd sk __ 0.02 secs Thu May 9 09:07 xscreensaver-co sk __ 0.00 secs Thu May 9 08:57 plugin-containe sk __ 0.06 secs Thu May 9 08:52 acct sk pts/2 0.00 secs Thu May 9 08:55 logger sk pts/2 0.00 secs Thu May 9 08:55 accton sk pts/2 0.00 secs Thu May 9 08:55 acct sk pts/2 0.00 secs Thu May 9 08:55 apt-check sk __ 1.98 secs Thu May 9 08:54 dpkg sk __ 0.00 secs Thu May 9 08:54 dpkg sk __ 0.00 secs Thu May 9 08:54
Searching logs of a particular command
The following command will show you the particular usage of a command by users:
sk@sk:~$ lastcomm ac ac sk pts/2 0.00 secs Thu May 9 09:36 ac sk pts/2 0.00 secs Thu May 9 09:34 ac sk pts/2 0.00 secs Thu May 9 09:31 ac sk pts/2 0.00 secs Thu May 9 09:25
That’s it! Happy Monitoring.
