How To Monitor User Activity with ACCT or PSACCT
With this tutorial, you will learn how to monitor a user's activity using the ACCT or PSACCT tools.
Within the daily tasks that we have as administrators or support to the systems area is to supervise and manage the activities that each user performs within the organizational infrastructure . It is also useful to collect information from the system and the network, for this you can visit the following tutorial: Monitorix in Linux.
There are many tools that help us analyze and keep track of these activities but today we are going to analyze the acct and psacct tools .
What are ACCT and PSACCT?
Both utilities are open source tools that help us to keep a specific control over the activities carried out by the users in the equipment or system and one of the great advantages is that they run in the background and therefore the performance of the system is not affected. machine.
Features we have with acct or psacct
- Monitor user activities
- Display the commands that are used.
- Display a report on the resources that are being used in the system.
- It allows us to observe how long the users connected to the system have been.
- Acct and psacct do not consume machine resources improving performance.
As we see with these tools we have a great help for the administrative tasks that we must perform daily. We can combine acct or psacct with some parameters that we will see later.
For this, we will use Debian 8, but it also indicates how to perform the installation in other environments.
Update the packages
As we have always recommended it is important before carrying out any task on the system to update the packages because almost every day there are new developments that can be very useful for our work.
In CentOS and RedHat distros we will use the following command:
In Debian, Fedora and other distros we can use the command:
Once we have updated the operating system, we proceed to install the necessary packages.
Download and install the acct or psacct packages
Something very important that we must keep in mind is that the acct utility is for Fedora, Debian, Mint distros, etc. and the psacct tool is for CentOS and RedHat distros.
To proceed with the download and respective installation of the mentioned packages, we will enter the following command:
In CentOS and Redhat environments:
yum install psacct
Fedora or Debian:
sudo apt-get install acct o apt-get install acct
We accept the download and hope that they are installed in the System.
Start the acct or psacct Service
Once downloaded and installed the respective packages we proceed to start the service which by default is disabled in CentOS and RedHat environments.
To see the status of the tool we can use the following command:
In CentOS and RedHat:
In Fedora and Debian:
By default its active in Debian or Fedora. To enable it in RedHat and CentOS we will enter the following commands:
chkconfig psacct on /etc/init.d/psacct start
With this process we have enabled the acct tool in Fedora or Debian or the psacct tool in CentOS or RedHat.
How to use the acct and psacct tools
The behavior of the tools is exactly the same, we are going to analyze the parameters that we can implement and see the respective result.
If we use the ac parameter without any additional parameter, we can see the total time in hours of user log-ins and log-ins based on the information stored in the system's wtmp file.
We can add some parameters to the ac command to get more detailed information.
We can use the ac -d syntax to see the total time per day.
If we use ac -p syntax we can see the information of each particular user:
If we want to see the total time of hours of a particular user we use the syntax ac username :
In the same way, we can see the number of hours including the days of a specific user using the syntax ac -d username:
To see a summary of all the commands that have been executed by the users, we use the sa command without any additional parameters.
Each column indicates the following (We take the first row as an example):
- 544: Number of times the command was executed.
- 4.16: Real-time in minutes.
- 0.34: It is the total of the minutes in the CPU format of the system of each user.
- 764k: Amount of core used.
- In the last column, we see the command executed.
If we want to see information individually we can use the sa-u syntax :
If we're going to know the process number with the CPU usage time we will use the sa -m syntax :
This allows us to see control over the processes that are running because if these values increase it is a sign that something is wrong. If we want to look at these values in a percentage format, we can use the sa -c syntax :
To see the commands that a particular user has used, we can use the syntax lastcomm username :
If we use the lastcomm ls syntax we can see the use of each command:
With the accton command, e can enable or disable the processes of a user.
Thanks to this command we can see the last logins of a user indicating date, time and IP address.
As we have seen these utilities allow us to take a general or personalized control over the tasks that each user performs within the system and thus determine if they are incurring faults or processes that do not correspond to take the necessary actions and thus ensure optimal performance and stability of our systems, whether CentOS, Fedora, Debian or any other and in this way meticulously comply with our management roles.
Useful information! If I have several copies of the same command — e.g. different versions of Java — how can I tell which of them was executed?