How to Monitor User Activity with psacct or acct Tools

psacct or acct both are open source application for monitoring users activities on the system. These applications runs in the background and keeps track of each users activity on your system as well as what resources are being consumed.

I personally used this program in our company, we have development team where our developers continuously work on servers. So, this is one of best program to keep a eye on them. This program provides an excellent way to monitor what users are doing, what commands are they firing, how much resources are being consumed by them, how long users are active on the system. Another great feature of this program is it gives total resources consumed by services like Apache, MySQL, FTP,SSH etc.

Read Also: Monitor Linux Commands Executed by System Users in Real-time

I think this is one of the great and must needed application for every Linux/Unix System Administrators, who wanted to keep a track of user activities on their servers/systems.

The psacct or acct package provides several features for monitoring process activities.

  1. ac command prints the statistics of user logins/logouts (connect time) in hours.
  2. lastcomm command prints the information of previously executed commands of user.
  3. accton commands is used to turn on/off process for accounting.
  4. sa command summarizes information of previously executed commands.
  5. last and lastb commands show listing of last logged in users.

Installing psacct or acct Packages

psacct or acct both are similar packages and there is not much difference between them, but the psacct package only available for rpm based distributions such as RHEL, CentOS and Fedora, whereas acct package available for distributions like Ubuntu, Debian and Linux Mint.

To install psacct package under rpm based distributions issue the following yum command.

# yum install psacct

To install acct package using apt-get command under Ubuntu / Debian / Linux Mint.

$ sudo apt-get install acct

OR

# apt-get install acct
Starting psacct or acct service

By default psacct service is in disabled mode and you need to start it manually under RHEL/CentOS/Fedora systems. Use the following command to check the status of service.

# /etc/init.d/psacct status
Process accounting is disabled.

You see the status showing as disabled, so let’s start it manually using the following both commands. These two commands will create a /var/account/pacct file and start services.

# chkconfig psacct on
# /etc/init.d/psacct start
Starting process accounting:                               [  OK  ]

After starting service, check the status again, you will get status as enabled as shown below.

# /etc/init.d/psacct status
Process accounting is enabled.

Under Ubuntu, Debian and Mint service is started automatically, you don’t need to start it again.

Display Statistics of Users Connect Time

ac command without specifying any argument will displays total statistics of connect time in hours based on the user logins/logouts from the current wtmp file.

# ac
total     1814.03
Display Statistics of Users Day-wise

Using command “ac -d” will prints out the total login time in hours by day-wise.

# ac -d
Sep 17  total        5.23
Sep 18  total       15.20
Sep 24  total        3.21
Sep 25  total        2.27
Sep 26  total        2.64
Sep 27  total        6.19
Oct  1  total        6.41
Oct  3  total        2.42
Oct  4  total        2.52
Oct  5  total        6.11
Oct  8  total       12.98
Oct  9  total       22.65
Oct 11  total       16.18
Display Time Totals for each User

Using command “ac -p” will print the total login time of each user in hours.

# ac -p
        root                              1645.18
        tecmint                            168.96
        total     1814.14
Display Individual User Time

To get the total login statistics time of user “tecmint” in hours, use the command as.

# ac tecmint
 total      168.96
Display Day-Wise Logn Time of User

The following command will prints the day-wise total login time of user “tecmint” in hours.

# ac -d tecmint
Oct 11  total        8.01
Oct 12  total       24.00
Oct 15  total       70.50
Oct 16  total       23.57
Oct 17  total       24.00
Oct 18  total       18.70
Nov 20  total        0.18
Print All Account Activity Information

The “sa” command is used to print the summary of commands that were executed by users.

# sa
       2       9.86re       0.00cp     2466k   sshd*
       8       1.05re       0.00cp     1064k   man
       2      10.08re       0.00cp     2562k   sshd
      12       0.00re       0.00cp     1298k   psacct
       2       0.00re       0.00cp     1575k   troff
      14       0.00re       0.00cp      503k   ac
      10       0.00re       0.00cp     1264k   psacct*
      10       0.00re       0.00cp      466k   consoletype
       9       0.00re       0.00cp      509k   sa
       8       0.02re       0.00cp      769k   udisks-helper-a
       6       0.00re       0.00cp     1057k   touch
       6       0.00re       0.00cp      592k   gzip
       6       0.00re       0.00cp      465k   accton
       4       1.05re       0.00cp     1264k   sh*
       4       0.00re       0.00cp     1264k   nroff*
       2       1.05re       0.00cp     1264k   sh
       2       1.05re       0.00cp     1120k   less
       2       0.00re       0.00cp     1346k   groff
       2       0.00re       0.00cp     1383k   grotty
       2       0.00re       0.00cp     1053k   mktemp
       2       0.00re       0.00cp     1030k   iconv
       2       0.00re       0.00cp     1023k   rm
       2       0.00re       0.00cp     1020k   cat
       2       0.00re       0.00cp     1018k   locale
       2       0.00re       0.00cp      802k   gtbl
Where
  1. 9.86re is a “real time” as per wall clock minutes
  2. 0.01cp is a sum of system/user time in cpu minutes
  3. 2466k is a cpu-time averaged core usage, i.e. 1k units
  4. sshd command name
Print Individual User Information

To get the information of individual user, use the options -u.

# sa -u
root       0.00 cpu      465k mem accton
root       0.00 cpu     1057k mem touch
root       0.00 cpu     1298k mem psacct
root       0.00 cpu      466k mem consoletype
root       0.00 cpu     1264k mem psacct           *
root       0.00 cpu     1298k mem psacct
root       0.00 cpu      466k mem consoletype
root       0.00 cpu     1264k mem psacct           *
root       0.00 cpu     1298k mem psacct
root       0.00 cpu      466k mem consoletype
root       0.00 cpu     1264k mem psacct           *
root       0.00 cpu      465k mem accton
root       0.00 cpu     1057k mem touch
Print Number of Processes

This command prints the total number of processes and CPU minutes. If you see continue increase in these numbers, then its time to look into the system about what is happening.

# sa -m
sshd                                    2       9.86re       0.00cp     2466k
root                                  127      14.29re       0.00cp      909k
Print Sort by Percentage

The command “sa -c” displays the highest percentage of users.

# sa -c
 132  100.00%      24.16re  100.00%       0.01cp  100.00%      923k
       2    1.52%       9.86re   40.83%       0.00cp   53.33%     2466k   sshd*
       8    6.06%       1.05re    4.34%       0.00cp   20.00%     1064k   man
       2    1.52%      10.08re   41.73%       0.00cp   13.33%     2562k   sshd
      12    9.09%       0.00re    0.01%       0.00cp    6.67%     1298k   psacct
       2    1.52%       0.00re    0.00%       0.00cp    6.67%     1575k   troff
      18   13.64%       0.00re    0.00%       0.00cp    0.00%      509k   sa
      14   10.61%       0.00re    0.00%       0.00cp    0.00%      503k   ac
      10    7.58%       0.00re    0.00%       0.00cp    0.00%     1264k   psacct*
      10    7.58%       0.00re    0.00%       0.00cp    0.00%      466k   consoletype
       8    6.06%       0.02re    0.07%       0.00cp    0.00%      769k   udisks-helper-a
       6    4.55%       0.00re    0.00%       0.00cp    0.00%     1057k   touch
       6    4.55%       0.00re    0.00%       0.00cp    0.00%      592k   gzip
       6    4.55%       0.00re    0.00%       0.00cp    0.00%      465k   accton
       4    3.03%       1.05re    4.34%       0.00cp    0.00%     1264k   sh*
       4    3.03%       0.00re    0.00%       0.00cp    0.00%     1264k   nroff*
       2    1.52%       1.05re    4.34%       0.00cp    0.00%     1264k   sh
       2    1.52%       1.05re    4.34%       0.00cp    0.00%     1120k   less
       2    1.52%       0.00re    0.00%       0.00cp    0.00%     1346k   groff
       2    1.52%       0.00re    0.00%       0.00cp    0.00%     1383k   grotty
       2    1.52%       0.00re    0.00%       0.00cp    0.00%     1053k   mktemp
List Last Executed Commands of User

The ‘latcomm‘ command is used to search and display previously executed user commands information. You can also search commands of individual usernames. For example, we see commands of user (tecmint).

# lastcomm tecmint
su                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
id                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
grep                    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
grep                    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
dircolors               tecmint  pts/0      0.00 secs Wed Feb 13 15:56
bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
tput                    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
tty                     tecmint  pts/0      0.00 secs Wed Feb 13 15:56
bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
id                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
id                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
Search Logs for Commands

With the help of the lastcomm command you will be able to view individual use of an each commands.

# lastcomm ls
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Ravi Saive

I am Ravi Saive, creator of TecMint. A Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux. Follow Me: Twitter, Facebook and Google+

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

28 Responses

  1. damilola dada says:

    Helo ravi,

    I installed ‘acct’ in my ubuntu 14.04 ssh server and i can run ‘ac’ command but for the ‘sa’ command gives me this error ” couldnt open file ‘/var/log/account/pacct’: permission denied” anytime i run it, how do i go about this please?

  2. jonathan says:

    Hi Ravi,
    I intstalled acct in Ubuntu 14.04 LTS last May 19 2016, but when I used ‘ac -d myusername’ it only reflect yesterday and today time consume. Also when I use the ‘lastcomm myusername’ same result it reflect yesterday and today commands use.
    Is there something going here? or may I missing something.
    Your help is much appreciated.
    Thank you!

    • Ravi Saive says:

      @Jonathan,

      Could you check the ‘history’ and ‘lastlog’ file under /etc directory, you will came to know why it showing results of last day and today..

  3. Martial says:

    Hi Ravi Saive, it’s there anyway that the root gives privilege to users to create their own password or to set up their own password so that the root user does not know like in windows. Thanks again for your post. Very good and God bless you.

    • Ravi Saive says:

      @Martial,
      Yes, you a root can force users to change or set their own password after first login, this can be done by using following command.

      # chage -d0 user-name
      

      Where option “-d0” describes that the password was changed on 1st January 1970, which essentially expires the current password, and force users to change their passwords on the next login.

  4. Peter says:

    A very good website. I have been looking for a site like this for a while now to get hands on Linux and I must say this is the bet.

    Thanks guys

  5. How to join your community…..what is the process of joing community…please tell me…
    Thank you

  6. pratheesh says:

    thanks for such useful and Excellent article! Keep going :)

    how can we know how many task’s(process) are hold by the swap when ram is full.

  7. Manoj says:

    Ravi, thanks for such useful and Excellent article! Keep going :)

  8. bruce says:

    thanks, i am using this tools these days , but i found that the information accounted by psacct will reset several days once. do you know how to change it because i want to monitor my computer for a long time. thanks again.

  9. Ken Hall says:

    It is possible to give users full sudo access without allowing sudo su… That way all commands will be logged.

    Cmnd_Alias SU = /bin/su root, /bin/su – root

    Cmnd_Alias FORBIDDEN = /bin/bash, /bin/ksh, /bin/ksh93, /bin/sh, /bin/csh, /bin/tcsh, /bin/zsh, /usr/sbin/pwconv, /usr/sbin/visudo, /usr/bin/crontab

    USERS ALL = (ALL) !FORBIDDEN, !SU, ALL

  10. Mohit Kumar says:

    Its good article and very useful. But there are number of sysadmins handling lots of server.

    We have done as below:-

    1- Disabled first level root access.
    2- created individual login for users with sudo access.

    User has to login with his individual login ID and he can switch to root prompt through
    # sudo su –

    Now user becomes root and he has all privileges.

    How we can monitor this?

    While we can log all that command, which has been fired with sudo. But after the switching to root, not able to identify.

    A sudo user can not switch to root. Is this possible??

    • Ravi Saive says:

      That’s not possible, if a user knows the root password he will able to login and run commands. But if you would like to trace those commands with date and time of execution, you need to use history command.

Leave a Reply to Manoj Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.