Type : System
Operating System : Redhat,Fedora,Centos
Like all system administrator, you want to know what happens on your server and what users are doing with your system.
Psacctd is a daemon very usefull to trace and follow activity of each users present on your server.
Tools :
- ac prints out a report of connect time (in hours) based on the logins/logouts in the current wtmp file.
- sa summarizes information about previously executed commands as recorded in the acct file.
- accton - turns process accounting on or off.
- lastcomm - print out information about previously executed commands.
- last, lastb - show listing of last logged in users
INSTALL
Instal the daemon on you server :
#yum install psacct
Put the service on the run-level
#chkconfig psacct on
Start service
#service psacct start
LAST USER CONNECTIONS :
If you want details on user's activity, you have to know who is connected, when and on which terminal.
List of user's history activity based on login:
# last -i
ffaye pts/0 *.*.*.* Sat Nov 21 18:57 still logged in
ffaye pts/2 *.*.*.* Sat Nov 21 18:24 still logged in
ffaye pts/2 *.*.*.* Fri Nov 20 17:51 - 17:52 (00:00)
ffaye pts/2 *.*.*.* Fri Nov 20 17:50 - 17:51 (00:00)
ffaye pts/2 *.*.*.* Fri Nov 20 17:48 - 17:49 (00:01)
ffaye pts/1 *.*.*.* Fri Nov 20 17:47 still logged in
ffaye pts/1 *.*.*.* Fri Nov 20 17:41 - 17:47 (00:05)
ffaye pts/0 *.*.*.* Thu Nov 19 22:51 - 18:57 (1+20:06)
reboot system boot 0.0.0.0 Thu Nov 19 22:49 (1+20:39)
root pts/0 *.*.*.* Thu Nov 19 16:59 - down (05:48)
reboot system boot 0.0.0.0 Thu Nov 19 16:57 (05:49)
Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts
# lastb -i
fabien ssh:notty *.*.*.* Sat Nov 21 18:22 - 18:22 (00:00)
fabien ssh:notty *.*.*.* Sat Nov 21 18:22 - 18:22 (00:00)
fabien ssh:notty *.*.*.* Sat Nov 21 18:22 - 18:22 (00:00)
root ssh:notty *.*.*.* Sat Nov 21 12:38 - 12:38 (00:00)
root ssh:notty *.*.*.* Sat Nov 21 12:38 - 12:38 (00:00)
root ssh:notty *.*.*.* Sat Nov 21 12:38 - 12:38 (00:00)
root ssh:notty *.*.*.* Fri Nov 20 21:02 - 21:02 (00:00)
root ssh:notty *.*.*.* Fri Nov 20 21:02 - 21:02 (00:00)
root ssh:notty *.*.*.* Fri Nov 20 17:49 - 17:49 (00:00)
root ssh:notty *.*.*.* Fri Nov 20 17:49 - 17:49 (00:00)
root ssh:notty *.*.*.* Fri Nov 20 11:19 - 11:19 (00:00)
eaguilar ssh:notty *.*.*.* Fri Nov 20 11:19 - 11:19 (00:00)
eaguilar ssh:notty *.*.*.* Fri Nov 20 11:19 - 11:19 (00:00)
root ssh:notty *.*.*.* Fri Nov 20 06:19 - 06:19 (00:00)
root ssh:notty *.*.*.* Fri Nov 20 06:19 - 06:19 (00:00)
root ssh:notty *.*.*.* Fri Nov 20 06:19 - 06:19 (00:00)
ffaye ssh:notty *.*.*.* Thu Nov 19 22:50 - 22:50 (00:00)
ffaye ssh:notty *.*.*.* Thu Nov 19 22:50 - 22:50 (00:00)
ffaye ssh:notty *.*.*.* Thu Nov 19 22:50 - 22:50 (00:00)
ffaye ssh:notty *.*.*.* Thu Nov 19 22:50 - 22:50 (00:00)
ffaye ssh:notty *.*.*.* Thu Nov 19 22:49 - 22:49 (00:00)
ffaye ssh:notty *.*.*.* Thu Nov 19 22:49 - 22:49 (00:00)
ffaye ssh:notty *.*.*.* Thu Nov 19 22:49 - 22:49 (00:00)
ffaye ssh:notty *.*.*.* Thu Nov 19 16:59 - 16:59 (00:00)
ffaye ssh:notty *.*.*.* Thu Nov 19 16:59 - 16:59 (00:00)
DISPLAY STATISTICS ABOUT USER'S :
Ac parametters :
#ac --help
Usage: ac [-dhpVy] [-f <file>] [people] ...
[--daily-totals] [--individual-totals] [--file <file>]
[--complain] [--reboots] [--supplants] [--timewarps] [--print-year]
[--compatibility] [--print-zeros] [--debug] [--tw-leniency <value>]
[--tw-suspicious <value>] [--version] [--help]
Statistics per day
# ac -d
Nov 19 total 6.95
Nov 20 total 30.34
Today total 20.29
Total User's Statistics :
# ac -p
root 5.80
ffaye 51.89
total 57.69
Total User's Statistics per day :
# ac -d -p
root 5.80
ffaye 1.15
Nov 19 total 6.95
ffaye 30.34
Nov 20 total 30.34
ffaye 20.39
Today total 20.39
PREVIOUS USER'S COMMAND :
lastcomm provide more information than history command line and you can define some filter on user, terminal and command.
For each entry returned by lastcomm you can have this following information is printed:
- + command name of the process
- + flags, as recorded by the system accounting routines:
- S -- command executed by super-user
- F -- command executed after a fork but without a following exec
- C -- command run in PDP-11 compatibility mode (VAX only)
- D -- command terminated with the generation of a core file
- X -- command was terminated with the signal SIGTERM
- + the name of the user who ran the process
- + time the process exited
Last command filtered by user :
# lastcomm ffaye
bash F ffaye pts/0 0.00 secs Sat Nov 21 18:57
id ffaye pts/0 0.00 secs Sat Nov 21 18:57
bash F ffaye pts/0 0.00 secs Sat Nov 21 18:57
consoletype ffaye pts/0 0.00 secs Sat Nov 21 18:57
bash F ffaye pts/0 0.00 secs Sat Nov 21 18:57
id ffaye pts/0 0.00 secs Sat Nov 21 18:57
egrep ffaye pts/0 0.00 secs Sat Nov 21 18:57
bash F ffaye pts/0 0.00 secs Sat Nov 21 18:57
dircolors ffaye pts/0 0.00 secs Sat Nov 21 18:57
bash F ffaye pts/0 0.00 secs Sat Nov 21 18:57
hostname ffaye pts/0 0.00 secs Sat Nov 21 18:57
bash F ffaye pts/0 0.00 secs Sat Nov 21 18:57
id ffaye pts/0 0.00 secs Sat Nov 21 18:57
bash X ffaye __ 0.01 secs Thu Nov 19 14:51
sshd SF X ffaye __ 0.76 secs Thu Nov 19 14:51
su S X ffaye pts/0 0.00 secs Thu Nov 19 14:51
bash F ffaye pts/2 0.00 secs Sat Nov 21 18:24
id ffaye pts/2 0.00 secs Sat Nov 21 18:24
bash F ffaye pts/2 0.00 secs Sat Nov 21 18:24
consoletype ffaye pts/2 0.00 secs Sat Nov 21 18:24
bash F ffaye pts/2 0.00 secs Sat Nov 21 18:24
id ffaye pts/2 0.00 secs Sat Nov 21 18:24
egrep ffaye pts/2 0.00 secs Sat Nov 21 18:24
bash F ffaye pts/2 0.00 secs Sat Nov 21 18:24
dircolors ffaye pts/2 0.00 secs Sat Nov 21 18:24
bash F ffaye pts/2 0.00 secs Sat Nov 21 18:24
hostname ffaye pts/2 0.00 secs Sat Nov 21 18:24
bash F ffaye pts/2 0.00 secs Sat Nov 21 18:24
id ffaye pts/2 0.00 secs Sat Nov 21 18:24
Last su command :
# lastcomm su
su S X ffaye pts/0 0.00 secs Thu Nov 19 14:51
SUMMARIZES ACCOUNTING INFORMATION:
sa summarizes information about previously executed commands as recorded in the acct file. The information can also be summarized on a per-user basis; sa will save this information into a file named usracct.
Example of sa result :
# sa
1034 17545.52re 0.25cp 7754k
16 0.25re 0.21cp 68656k yum-updatesd-he
23 5055.87re 0.01cp 6667k ***other*
8 3099.25re 0.01cp 16921k sshd*
2 6192.47re 0.00cp 16528k bash
12 0.00re 0.00cp 18048k troff
7 3099.04re 0.00cp 17206k sshd
2 0.00re 0.00cp 1328k prelink
22 0.00re 0.00cp 2580k iptables
21 0.03re 0.00cp 11450k cat
14 24.54re 0.00cp 13801k man
8 0.00re 0.00cp 968k modprobe
2 0.00re 0.00cp 16432k ps
144 0.00re 0.00cp 0k kstopmachine*
51 0.00re 0.00cp 10692k iconv
45 0.00re 0.00cp 9135k bash*
42 0.00re 0.00cp 2616k find
37 24.56re 0.00cp 10002k sh
36 0.01re 0.00cp 16311k sendmail*
36 0.00re 0.00cp 1038k gunzip
32 0.00re 0.00cp 947k tmpwatch
30 0.00re 0.00cp 1038k zcat
29 0.01re 0.00cp 4570k awk
28 24.56re 0.00cp 15965k sh*
28 0.00re 0.00cp 13259k rm
24 0.00re 0.00cp 2176k makewhatis*
return structure :
- sum of system and user time in cpu second
- "real time" in wall clock minutes
- sum of system and user time in cpu minutes
- cpu-time averaged core usage, in 1k units
- command name
Other example for return number of processes and number of CPU per-user basis :
# sa -m
1057 17555.55re 0.25cp 7845k
root 987 8263.81re 0.23cp 7467k
ffaye 45 9289.05re 0.01cp 11965k
smmsp 18 0.03re 0.00cp 15088k
sshd 7 2.67re 0.00cp 16054k
TIPS & TRICKS
Don't forget to read man pages to get the good options you want.
: 
Unknown Browser
