How to Monitor Linux Users Activity with psacct or acct Tools

psacct or acct both are open source utilities for monitoring users’ activities on the Linux system. These utilities run in the background and keep track of each user’s activity on your system as well as what resources are being consumed.

I personally used these tools in our company, we have a development team where our developers continuously work on servers. So, these are the best utilities to keep an eye on them.

These programs provide an excellent way to monitor what users are doing, what commands are they executing, how many resources are being consumed by them, and how long users are active on the system. Another useful feature is, that it gives total resources consumed by services like Apache, MySQL, FTP, SSH, etc.

[ You might also like: How to Monitor Linux Commands Executed by System Users in Real-time ]

I think this is one of the great and most needed utilities for every Linux/Unix System Administrator, who wanted to keep a track of user activities on their servers/systems.

The psacct or acct package provides several features for monitoring process activities.

  • ac command prints the statistics of user logins/logouts (connect time) in hours.
  • lastcomm command prints the information of previously executed commands of the user.
  • accton commands is used to turn on/off process for accounting.
  • sa command summarizes information of previously executed commands.
  • last and lastb commands show a listing of last logged-in users.

Installing psacct or acct Packages in Linux

psacct and acct both are similar packages and there is not much difference between them, but the psacct package is only available for rpm-based distributions such as RHEL, CentOS, and Fedora, whereas the acct package is available for distributions like Ubuntu, Debian, and Linux Mint.

To install the psacct package under rpm-based distributions issue the following yum command.

# yum install psacct

To install the acct package using the apt command under Ubuntu / Debian / Linux Mint.

$ sudo apt install acct

On other Linux distributions, you can install it as shown.

$ sudo apk add psacct          [On Alpine Linux]
$ sudo pacman -S acct          [On Arch Linux]
$ sudo zypper install acct     [On OpenSUSE]    
Starting psacct or acct service

By default, the psacct service is in disabled mode and you need to start it manually under RHEL-based distributions. Use the following command to check the status of the service.

$ sudo systemctl status psacct

You see the status showing as disabled, so let’s start it manually using the following commands, which will create a /var/account/pacct file.

$ sudo systemctl start psacct
$ sudo systemctl enable psacct
$ sudo systemctl status psacct
Start psacct Service
Start psacct Service

Under Ubuntu, Debian, and Mint service is started automatically, you don’t need to start it again.

Display Statistics of Users Connect Time

ac command without specifying any argument will display total statistics of connect time in hours based on the user logins/logouts from the current wtmp file.

# ac

total     11299.15
Print Total Connect Time of Linux User
Print Total Connect Time of Linux User

Display Statistics of Linux Users Day-wise

Using the command “ac -d” will print out the total login time in hours by day-wise.

# ac -d

Jun 25	total        0.19
Oct 13	total       14.45
Oct 27	total      672.00
Oct 28	total       15.82
Nov  3	total        4.29
Nov  5	total       10.13
Dec  7	total       14.04
Dec 10	total       23.60
Dec 27	total      808.93
Jan  3	total       12.31
Mar  3	total     1438.67
Jul 22	total     6767.81
Today	total     1517.09
Print Linux User Total Login Time
Print Linux User Total Login Time

Display Total Login Time of All Linux Users

Using the command “ac -p” will print the total login time of each Linux user in hours.

# ac -p

	rockylinux                         425.61
	tecmint                            702.29
	root                             10171.54
	total    11299.44
Print Total Login Time of Users
Print Total Login Time of Users

Display Linux User Login Time

To get the total login statistics time of user “tecmint” in hours, use the command as.

# ac tecmint
 total      702.29

Display Day-Wise Login Time of User

The following command will print the day-wise total login time of user “tecmint” in hours.

# ac -d tecmint
Oct 11  total        8.01
Oct 12  total       24.00
Oct 15  total       70.50
Oct 16  total       23.57
Oct 17  total       24.00
Oct 18  total       18.70
Nov 20  total        0.18

Print All Linux Commands Executed by Users

The “sa” command is used to print the summary of commands that were executed by users.

# sa
       2       9.86re       0.00cp     2466k   sshd*
       8       1.05re       0.00cp     1064k   man
       2      10.08re       0.00cp     2562k   sshd
      12       0.00re       0.00cp     1298k   psacct
       2       0.00re       0.00cp     1575k   troff
      14       0.00re       0.00cp      503k   ac
      10       0.00re       0.00cp     1264k   psacct*
      10       0.00re       0.00cp      466k   consoletype
       9       0.00re       0.00cp      509k   sa
       8       0.02re       0.00cp      769k   udisks-helper-a
       6       0.00re       0.00cp     1057k   touch
       6       0.00re       0.00cp      592k   gzip
       6       0.00re       0.00cp      465k   accton
       4       1.05re       0.00cp     1264k   sh*
       4       0.00re       0.00cp     1264k   nroff*
       2       1.05re       0.00cp     1264k   sh
       2       1.05re       0.00cp     1120k   less
       2       0.00re       0.00cp     1346k   groff
       2       0.00re       0.00cp     1383k   grotty
       2       0.00re       0.00cp     1053k   mktemp
       2       0.00re       0.00cp     1030k   iconv
       2       0.00re       0.00cp     1023k   rm
       2       0.00re       0.00cp     1020k   cat
       2       0.00re       0.00cp     1018k   locale
       2       0.00re       0.00cp      802k   gtbl

Explanation of the above command output:

  • 9.86re is a “real-time” as per wall clock minutes
  • 0.01cp is a sum of system/user time in cpu minutes
  • 2466k is a cpu-time averaged core usage, i.e. 1k units
  • sshd command name

Print Linux User Information

To get the information of an individual user, use the options -u.

# sa -u
root       0.00 cpu      465k mem accton
root       0.00 cpu     1057k mem touch
root       0.00 cpu     1298k mem psacct
root       0.00 cpu      466k mem consoletype
root       0.00 cpu     1264k mem psacct           *
root       0.00 cpu     1298k mem psacct
root       0.00 cpu      466k mem consoletype
root       0.00 cpu     1264k mem psacct           *
root       0.00 cpu     1298k mem psacct
root       0.00 cpu      466k mem consoletype
root       0.00 cpu     1264k mem psacct           *
root       0.00 cpu      465k mem accton
root       0.00 cpu     1057k mem touch

Print Number of Linux Processes

This command prints the total number of processes and CPU minutes. If you see a continued increase in these numbers, then it’s time to look into the system about what is happening.

# sa -m
sshd                                    2       9.86re       0.00cp     2466k
root                                  127      14.29re       0.00cp      909k

Print and Sort Usage by Percentage

The command “sa -c” displays the highest percentage of users.

# sa -c
 132  100.00%      24.16re  100.00%       0.01cp  100.00%      923k
       2    1.52%       9.86re   40.83%       0.00cp   53.33%     2466k   sshd*
       8    6.06%       1.05re    4.34%       0.00cp   20.00%     1064k   man
       2    1.52%      10.08re   41.73%       0.00cp   13.33%     2562k   sshd
      12    9.09%       0.00re    0.01%       0.00cp    6.67%     1298k   psacct
       2    1.52%       0.00re    0.00%       0.00cp    6.67%     1575k   troff
      18   13.64%       0.00re    0.00%       0.00cp    0.00%      509k   sa
      14   10.61%       0.00re    0.00%       0.00cp    0.00%      503k   ac
      10    7.58%       0.00re    0.00%       0.00cp    0.00%     1264k   psacct*
      10    7.58%       0.00re    0.00%       0.00cp    0.00%      466k   consoletype
       8    6.06%       0.02re    0.07%       0.00cp    0.00%      769k   udisks-helper-a
       6    4.55%       0.00re    0.00%       0.00cp    0.00%     1057k   touch
       6    4.55%       0.00re    0.00%       0.00cp    0.00%      592k   gzip
       6    4.55%       0.00re    0.00%       0.00cp    0.00%      465k   accton
       4    3.03%       1.05re    4.34%       0.00cp    0.00%     1264k   sh*
       4    3.03%       0.00re    0.00%       0.00cp    0.00%     1264k   nroff*
       2    1.52%       1.05re    4.34%       0.00cp    0.00%     1264k   sh
       2    1.52%       1.05re    4.34%       0.00cp    0.00%     1120k   less
       2    1.52%       0.00re    0.00%       0.00cp    0.00%     1346k   groff
       2    1.52%       0.00re    0.00%       0.00cp    0.00%     1383k   grotty
       2    1.52%       0.00re    0.00%       0.00cp    0.00%     1053k   mktemp

List Last Executed Commands of User

The ‘latcomm‘ command is used to search and display previously executed user command information. You can also search commands of individual usernames. For example, we see commands of the user (tecmint).

# lastcomm tecmint
su                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
id                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
grep                    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
grep                    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
dircolors               tecmint  pts/0      0.00 secs Wed Feb 13 15:56
bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
tput                    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
tty                     tecmint  pts/0      0.00 secs Wed Feb 13 15:56
bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
id                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
bash               F    tecmint  pts/0      0.00 secs Wed Feb 13 15:56
id                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56

Search Logs for Commands

With the help of the lastcomm command, you will be able to view the individual use of each command.

# lastcomm ls
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56
ls                      tecmint  pts/0      0.00 secs Wed Feb 13 15:56

For more information and usage, check out the manual pages of these tools.

If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

29 thoughts on “How to Monitor Linux Users Activity with psacct or acct Tools”

  1. I am very new to linux administration.

    To audit user activity, I installed and used psacct with the following command:

    # lastcomm root
    

    but I do not get any mention for the command “history” that I ran to test. Is there something I am doing wrong?

    Reply
    • Hi,

      When I executed lastcomm sdiff command, I could output is popping multiple times instead of a single display, please help me on this?

      [[email protected] ~]# lastcomm sdiff
      sdiff                   root     pts/0      0.00 secs Mon Aug  3 07:52
      sdiff                   root     pts/0      0.00 secs Mon Aug  3 07:52
      sdiff                   root     pts/0      0.00 secs Mon Aug  3 07:52
      sdiff                   root     pts/0      0.00 secs Mon Aug  3 07:52
      sdiff                   root     pts/0      0.00 secs Mon Aug  3 07:52
      
      Reply
  2. Hello Ravi,

    In our server all users get login in root through SSH. So how I can identify which commands are executed by particular user?

    By using “last -F” I got login details in IPADDR & by using “lastcomm” I am getting all executed commands, but still not getting users own history. Please suggest to monitors specific users history in this scenario.

    Reply
    • @Sush,

      You can find all users commands history under /home/user_name/.bash_history file, you can use find or grep command to list the history of all users..

      Reply
      • Hello Ravi,

        Thanks for your reply. but here we have only 2 users first login into admin after switch user to root. All our operations team members are working in root administrator account. So in that case I want to found in root only which member have executed the commands in root bash_history.

        Reply
  3. hello Ravi,

    Please i will like to ask a question, the sa -u command does not specify which date the result produced is meant for, is it daily or monthly?

    Reply

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.