How to Monitor Linux Users Activity with psacct or acct Tools?

Monitoring user activity in Linux systems is crucial for ensuring system security, optimizing resource usage, and identifying potential issues. By keeping track of user actions, administrators can gain valuable insights into system behavior, detect unauthorized activities, and troubleshoot performance problems.

To effectively monitor user activity, reliable tools are required. Two such tools widely used in the Linux community are psacct and acct. These tools provide comprehensive functionality for tracking and analyzing user actions, allowing system administrators to maintain a robust and secure environment.

In this blog post, we will explore the capabilities of psacct and acct and provide a detailed guide on how to utilize them for monitoring user activity in Linux systems. We will cover the installation and configuration of these tools, as well as demonstrate their usage through practical examples and code snippets.

Understanding Psacct and Acct

In order to effectively monitor user activity in Linux systems, it's essential to understand the tools at our disposal. Let's take a closer look at psacct and acct, their purpose, and the benefits they offer.

Psacct

psacct, also known as Process Accounting, is a powerful utility that tracks the system resources utilized by users and processes. It collects detailed information such as CPU usage, memory consumption, disk I/O, and executed commands. This comprehensive data allows administrators to gain insights into resource utilization patterns, identify bottlenecks, and track the activities of individual users or processes.

The main features of psacct include −

• Resource Monitoring − psacct tracks the resource usage of processes, enabling administrators to monitor CPU, memory, and disk usage at a granular level.

• Command Execution Tracking − It records the commands executed by users, providing visibility into the actions performed on the system.

• Reporting and Analysis − psacct offers tools to generate reports and analyze the collected data, allowing administrators to make informed decisions based on system usage patterns.

Acct

acct is another utility that provides process accounting capabilities in Linux systems. It captures user activities by monitoring commands executed, system calls made, and file access operations. The information collected by acct helps administrators understand user behavior, identify potential security breaches, and optimize system performance.

Key features of acct include −

• Command Execution Logging − acct records the commands executed by users, including their arguments and execution times.

• System Call Tracing − It captures system calls made by processes, providing insights into the interactions between user programs and the operating system.

• File Access Monitoring − acct logs file operations, giving visibility into file reads, writes, and deletions performed by users or processes.

By using psacct and acct, administrators can gain a comprehensive understanding of user activities, resource usage, and system behavior. These tools serve as valuable aids in maintaining the security, efficiency, and stability of Linux systems.

Installing and Configuring Psacct and Acct

To start monitoring user activity using psacct and acct, you need to install and configure these tools appropriately. In this section, we will walk you through the installation process and provide guidelines for configuring both psacct and acct.

Installing Psacct

Installing psacct is straightforward and can be done using package managers specific to your Linux distribution. Here's a general outline of the installation process −

For Debian-based distributions (e.g., Ubuntu) −

sudo apt-get install psacct

For Red Hat-based distributions (e.g., CentOS) −

sudo yum install psacct

For Arch Linux −

sudo pacman -S psacct

After completing the installation, psacct will be ready to use.

Configuring Psacct

Psacct provides configuration options to tailor the monitoring behavior according to your specific requirements. The main configuration file for psacct is usually located at /etc/psacct/psacct.conf. You can modify this file using a text editor to customize the settings.

Some common configuration options include −

• ENABLE_ACCT − Set this to YES to enable process accounting.

• SUSPEND_ACCT − Set this to YES to suspend process accounting temporarily.

• COMPRESS_ACCOUNTING − Set this to YES to compress accounting files.

Ensure you review and adjust these options based on your monitoring needs.

Installing and Configuring Acct

The installation and configuration process for acct may vary slightly depending on your Linux distribution. Here's a general guide:

For Debian-based distributions −

sudo apt-get install acct

For Red Hat-based distributions −

sudo yum install acct

For Arch Linux −

sudo pacman -S acct

Once installed, acct automatically starts collecting accounting information.

That wraps up the installation and configuration section for psacct and acct. In the next section, we will delve into the specifics of monitoring user activity with psacct.

Monitoring User Activity with Psacct

Now that we have psacct installed and configured, let's explore how to effectively monitor user activity using this powerful tool. In this section, we will cover enabling process accounting, viewing process accounting records, analyzing data, and generating reports.

Enabling Process Accounting

To start monitoring user activity with psacct, we need to enable process accounting. This allows psacct to collect detailed information about the system resources utilized by users and processes. To enable process accounting, follow these steps −

• Open a terminal and run the following command with root privileges to start the psacct service −

sudo systemctl start psacct

• To ensure that psacct starts automatically upon system boot, run the following command −

sudo systemctl enable psacct

With process accounting enabled, psacct will begin collecting data on user activity.

Viewing Process Accounting Records

To monitor user activity and view process accounting records, we can use the sa command provided by psacct. This command allows us to access valuable information about user behavior and system resource usage. Here are some commonly used options −

• To view user summary statistics −

sudo sa -u

This command displays a summary of user activities, including the total number of commands executed, CPU time utilized, and more.

• To display a detailed process summary −

sudo sa -m

The sa -m command provides a detailed summary of processes executed, including CPU usage, memory consumption, and disk I/O.

• To view the commands executed by a specific user −

sudo sa -u <username>

By specifying the username, we can narrow down the results and view the commands executed by a particular user.

Analyzing Process Accounting Data

Analyzing process accounting data allows us to gain deeper insights into user behavior and system resource utilization. Psacct provides several tools to assist with data analysis:

• sar command −

  The sar command (System Activity Reporter) provides system activity reports based on process accounting data. It allows us to analyze CPU usage, memory consumption, disk I/O, and more. For example, to view CPU utilization statistics, we can run:

sudo sar -u

• sadf command −

  The sadf command (System Accounting Data Formatter) converts process accounting data to a human-readable format. This can be helpful for further analysis or generating custom reports. For instance, to convert process accounting data to a text file, we can use:

sudo sadf -p /var/log/account/pacct > accounting_data.txt

Generating Reports

Psacct offers reporting capabilities that allow us to generate concise and insightful reports based on the collected user activity data. The accton command is used to generate reports. For example, to generate a report in the /var/log/account/pacct file, we can run −

sudo accton /var/log/account/pacct

This report provides valuable information about user activities, resource usage, and system behavior.

With psacct, you can effectively monitor user activity, analyze system resource utilization, and generate informative reports.

In the next section, we will explore how to monitor user activity using acct.

Monitoring User Activity with Acct

In addition to psacct, Linux systems also provide the acct tool for monitoring user activity. acct captures user activities by monitoring commands executed, system calls made, and file access operations. Let's explore how to effectively utilize acct for user activity monitoring.

Enabling Acct

By default, acct is usually installed and activated on Linux systems. To verify its status, you can use the following command −

sudo systemctl status acct

If acct is not active, you can start it using the command −

sudo systemctl start acct

Viewing User Activity

To view user activity recorded by acct, we can utilize the lastcomm command. This command displays information about the commands executed by users, including the username, command name, and execution time. For example −

lastcomm

To view the commands executed by a specific user, you can use −

lastcomm <username>

File Access Monitoring

One of the key features of acct is file access monitoring. It records file operations performed by users or processes, such as reads, writes, and deletions. The file access data can be accessed using the ac command. For instance −

ac -d

This command provides a summary of file access operations, including the number of files read, written, and deleted.

Generating Reports

Acct provides the capability to generate reports summarizing user activity. The sa command, similar to the one used with psacct, can be used with acct as well. For example −

sa -u

This command generates a summary report of user activities, including the total number of commands executed and CPU time utilized.

Acct also offers additional reporting tools, such as action, to generate customized reports based on the collected data. These reports can provide valuable insights into user behavior and system usage patterns.

Conclusion

In this blog post, we explored the powerful tools psacct and acct for monitoring user activity in Linux systems. By installing and configuring these tools, you can effectively track user behavior, analyze system resource utilization, and generate insightful reports.

With psacct, you can enable process accounting, view accounting records, and analyze data using tools like sar and sadf. Acct complements psacct by providing additional features such as command monitoring and file access tracking. By leveraging these tools, system administrators can gain valuable insights into user activities, enhance system security, and optimize resource allocation.