How to Monitor Linux Users Activity with psacct or acct Tools?

Monitoring user activity in Linux systems is crucial for ensuring system security, optimizing resource usage, and identifying potential issues. By keeping track of user actions, administrators can gain valuable insights into system behavior, detect unauthorized activities, and troubleshoot performance problems.

Two widely used tools in the Linux community are psacct and acct. These tools provide comprehensive functionality for tracking and analyzing user actions, allowing system administrators to maintain a robust and secure environment through detailed process accounting.

Understanding Process Accounting Tools

Process accounting is a Linux kernel feature that logs information about every process that terminates on the system. Both psacct and acct utilize this capability to provide detailed monitoring and reporting.

Psacct (Process Accounting)

psacct is a powerful utility that tracks system resources utilized by users and processes. It collects detailed information such as CPU usage, memory consumption, disk I/O, and executed commands.

Key features of psacct include:

• Resource Monitoring ? Tracks CPU, memory, and disk usage at a granular level for each process.

• Command Execution Tracking ? Records commands executed by users with detailed execution statistics.

• Reporting and Analysis ? Provides tools to generate reports and analyze collected data for informed decision-making.

Acct Tool

acct provides similar process accounting capabilities but with additional focus on command logging and file access operations. It captures user activities by monitoring commands executed and system interactions.

Key features of acct include:

• Command Execution Logging ? Records commands with arguments and execution times.

• User Activity Tracking ? Monitors user sessions and login patterns.

• Historical Data ? Maintains logs for historical analysis and auditing purposes.

Installation and Configuration

Installing Process Accounting Tools

Installation varies by distribution but follows standard package management practices:

For Debian-based distributions (Ubuntu, etc.):

sudo apt-get update
sudo apt-get install acct

For Red Hat-based distributions (CentOS, RHEL):

sudo yum install psacct
# or for newer versions
sudo dnf install psacct

For Arch Linux:

sudo pacman -S acct

Enabling Process Accounting

After installation, enable and start the accounting service:

sudo systemctl enable acct
sudo systemctl start acct

Verify the service status:

sudo systemctl status acct

The accounting data is typically stored in /var/log/account/pacct or /var/account/pacct.

Monitoring User Activity

Basic Commands

View recent command history for all users:

lastcomm

View commands executed by a specific user:

lastcomm username

Display user summary statistics:

sa -u

Detailed Analysis

Generate detailed process summary with resource usage:

sa -m

View daily user activity summary:

ac -d

Display individual user totals:

ac -p

Practical Examples

Monitor CPU time usage by user:

sa -u | head -10

   1234      5.67re     1.23cp     0avio      125k
   john      987.45re    12.34cp    15avio     256k   
   alice     543.21re    8.76cp     8avio      189k

Track specific command usage:

lastcomm vim

vim      S     john     pts/0      0.02 secs Mon Dec 11 14:32
vim      S     alice    pts/1      0.15 secs Mon Dec 11 13:45

Key Benefits

Conclusion

Process accounting tools like psacct and acct provide essential capabilities for monitoring user activity in Linux systems. These tools enable administrators to track resource usage, audit command execution, and generate comprehensive reports for security and performance analysis. By implementing proper process accounting, organizations can maintain better control over their Linux infrastructure and ensure optimal system performance.