Monday, March 4, 2013

Monitoring User Activity with psacct On Linux

One of the big advantages of using psacct on your server is that it provides excellent logging for activities of applications and users.




Installation :-

for Redhat, Fedora, CentOs

yum install psacct
service psacct start

For Ubuntu Debian

apt-get install acct
service acct start


Following is the list of utilities it includes:
The ac command displays statistics about how long users have been logged on.
The lastcomm command displays information about previous executed commands.
The sa command summarizes information about previously executed commmands.
The accton command turns process accounting on or off.

How to use psacct :

The connect time in hours is based on logins and logouts. 

root@Vishalvyas:~#  ac -p
        vishal                        9.12
        Ashish                      20.60
        Vipul                        15.80
        Anil                          17.33
        Akshay                     10.92
        pritesh                      4.10
        chirag                       8.75
        total                         168.95

which user has executed what command on system :

root@Vishalvyas:~# lastcomm vishal

Process        Flag    Username  Terminal    Time

vim                          X vishal        pts/2         0.01 secs Tue Mar  5 10:16
su               S           vishal            pts/2         0.00 secs Tue Mar  5 10:16
bash                        vishal            pts/2        0.10 secs Tue Mar  5 10:16
bash             F         vishal            pts/2        0.00 secs Tue Mar  5 10:16
python                     vishal            pts/2       0.05 secs Tue Mar  5 10:16
crontab                    vishal            pts/2       0.00 secs Tue Mar  5 10:16
bash             F         vishal            pts/2       0.00 secs Tue Mar  5 10:16
python                     vishal            pts/2       0.04 secs Tue Mar  5 10:16
bash             F         vishal            pts/2       0.00 secs Tue Mar  5 10:16
python                     vishal            pts/2       0.04 secs Tue Mar  5 10:16
ssh                          vishal            pts/2       0.00 secs Tue Mar  5 10:16
ifconfig                    vishal            pts/2       0.00 secs Tue Mar  5 10:16


Search the accounting logs by command name:
root@Vishalvyas:~#  lastcomm vim
vim                    root     pts/1      0.02 secs Tue Mar  5 10:28
vim                    root     pts/1      0.02 secs Tue Mar  5 10:18
vim                  X vishal   pts/2      0.01 secs Tue Mar  5 10:16



Pribt All Account Activity :
The “sa” command is used to print the summary of commands that were executed by user.
 root@Vishalvyas:~# sa
    3178    4679.96re       0.80cp         0avio      4435k
     176    4586.25re        0.69cp         0avio     19371k   httpd*
      35       0.15re           0.04cp          0avio     23363k   /usr/share/webm*
      15       0.04re           0.02cp          0avio     17296k   landscape-sysin
      12       0.04re           0.02cp          0avio      6346k   DB_to_TNF.pl
      13       5.80re           0.01cp          0avio     26052k   svn
 

Flags:
S - executed as super-user
F - executed after  but not following exec
D - terminated with core file
X - terminated with signal SIGTERM


Thanks,
Vishal Vyas

Install Darkstat - a network traffic analyzer

Darkstat is a opensource network monitoring tool, It is a packet sniffer which runs as a background process and serves its statistics to a ...