How to Monitor Linux Commands Executed by System Users in Real-time

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.95/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

6 Responses

  1. Jor says:

    What happens if the user that has sudo privileges suddenly changes profile and elevates to root profile? ie… ‘sudo su – ‘ at this point the user is in root profile /root . can this sysdig utility still monitor in this case?

    • Aaron Kili says:

      @Jor

      This is a good question, yes sysdig will still monitor the users activity. But it will show the user as root, this means as a system admin, you need to review logfiles(to be specific files in /var/log/audit/ or /var/log/auth.log) to see users who switched to root the account.

  2. K0n24d says:

    By default settings the bash_history is only written to when the shell is closed. Moreover starting your command line with a space doesn’t append it to the history. So using the bash history to monitor user activity looks like complete nonsense to me.

  3. TheOuterLinux says:

    watch -n 1 tail ~/.bash_history

    • Aaron Kili says:

      @TheOuterLinux

      This will only help a user watch their own command history, as a sys admin, you would use something like:
      #watch -n 1 tail /home/username/.bash_history

      But this only allows you to watch one users commands history. Therefore, sysdig as shwon above is still more appropriate for keeping an eye on all users’ command line.

Leave a Reply to K0n24d Cancel reply

Your email address will not be published. Required fields are marked *