The latest Linux Kernel comes with very good feature of process accounting. Using this feature you can keep watch on the processes in Linux.
Process accounting is the method of recording and summarizing commands executed on Linux. The modern Linux kernel is capable of keeping process accounting records for the commands being run, the user who executed the command, the CPU time, and much more.
Process accounting enables you to keep detailed accounting information for the system resources used, their allocation among users, and system monitoring.
Before you enable process accounting, make sure that you have enough space in your disk to store the log files. It requires kernel version above 1.3.73.
Below are the steps to enable process accounting.
■ Check kernel version. It should be above 1.3.73
# uname -r
■ Install Process Accounting Software
# yum install psacct -y
■ Start process account service.
# systemctl start psacct.service
■ Check status of service
# systemctl status psacct.service
Process accounting maintains a log file /var/account/pacct
Process Accounting Commands :
1. ac Command :
ac prints out statistics about users’ connection times in hours based on the logins and logouts in the
current /var/log/wtmp file.
# ac # ac -p # ac -d
ac is also capable of printing out time totals for each day (−d option), and for each user (−p option).
2. accton Command :
Turns process accounting on or off.
# accton on # accton on /var/log/act.log # accton off
You can use systemctl command to control this feature with default log file /var/account/pacct.
3. last Command :
last goes through the /var/log/wtmp file and prints out information about users’ connection times.
# last # last -w
4. sa Command :
sa summarizes accounting information from previously executed commands, software I/O operation
times, and CPU times, as recorded in the accounting record file /var/account/pacct.
# sa
# sa -a
5. lastcomm Command :
lastcomm prints out the information about all previously executed commands, recorded in
/var/account/pacct.
# lastcomm # lastcomm --user root
More options can be found in man pages.
Keeping processing accounting option enabled all time can consume lot of space in your disk. It is recommended that your should enable this when you are supposed to monitor system behavior.