In order for Debian to support process accounting, you need to install the "acct" Debian package
debian:~# apt-get install act Reading Package Lists... Done (Reading database ... 6023 files and directories currently installed.) Unpacking acct (from acct_6.3.5-32_i386.deb) ... Setting up acct (6.3.5-32) ... Starting process accounting:
This will start up the system accounting process, and beginning logging all system activity to the following file:
When you install the Debian package, it will also add entries to the system cron folders (/etc/cron.daily and /etc/cron.monthly) in order to keep track of these files, and make sure that they don't grow too large.
You will now be able to use the following commands to query the accounting database:
This commands prints out statistics about users' connection time, in hours. This is the amount of time that the user has been connected to the system, either remotely via SSH or a serial terminal, or while on the console.
debian:~# ac total 10.44 debian:~# _
In the screenshot above, we can see that the root user has been logged in for over 10 hours so far this month.
The lastcomm command displays information about the previously executed commands. The most recent entries are given at the top of the list. Also displayed is the total amount of CPU time that each process used.
debian:~# lastcomm lastcomm root stderr 0.02 secs Mon Mar 1 02:36 ls root stderr 0.01 secs Mon Mar 1 02:34 ls root stderr 0.00 secs Mon Mar 1 02:34 ls root stderr 0.01 secs Mon Mar 1 02:34 ls root stderr 0.01 secs Mon Mar 1 02:34 ls root stderr 0.01 secs Mon Mar 1 02:34 sa root stderr 0.00 secs Mon Mar 1 02:34 sa root stderr 0.01 secs Mon Mar 1 02:34 sa root stderr 0.00 secs Mon Mar 1 02:33 acct root stderr 0.03 secs Mon Mar 1 02:33 accton S root stderr 0.00 secs Mon Mar 1 02:33
Here we can see that the root user executed the sa command three times, and the ls command 5 times, followed finally by the lastcomm command which is displaying the current listing.
You'll notice that there's a field after the command, but before the username, which can contain the following symbols:
S - command executed by super-user
F - command executed after a fork but without a following exec
D - command terminated with the generation of a core file
X - command was terminated with the signal SIGTERM
The sa command displays a summary of the accounting database to date. A sample output may appear as follows:
debian:~# sa 195 2083.07re 0.03cp 0avio 418k 29 512.10re 0.01cp 0avio 507k sh 7 184.77re 0.01cp 0avio 401k less 4 0.63re 0.01cp 0avio 619k troff 6 0.33re 0.00cp 0avio 462k dpkg 14 528.33re 0.00cp 0avio 400k pager 8 17.97re 0.00cp 0avio 372k lastcomm 12 0.18re 0.00cp 0avio 373k ls 25 151.47re 0.00cp 0avio 402k gzip 14 529.15re 0.00cp 0avio 420k man 4 29.98re 0.00cp 0avio 465k grotty 8 67.00re 0.00cp 0avio 448k ***other* 12 0.12re 0.00cp 0avio 336k ac 12 0.07re 0.00cp 0avio 312k expr 4 30.22re 0.00cp 0avio 508k nroff 4 0.15re 0.00cp 0avio 542k dhclient-script 4 0.25re 0.00cp 0avio 445k tbl 5 0.03re 0.00cp 0avio 317k sa 4 0.07re 0.00cp 0avio 317k zsoelim 4 30.02re 0.00cp 0avio 441k groff 4 0.03re 0.00cp 0avio 314k locale 4 0.10re 0.00cp 0avio 508k nroff* 4 0.00re 0.00cp 0avio 310k uname 3 0.10re 0.00cp 0avio 508k sh*
The first field contains the total number of times that the specific command has been executed on the system. The "re" field shows the amount of "real time" that the command consumed, cumulatively, and in seconds. The "cp" column shows the number of seconds actually spent on the CPU. The "avio" column is the average number of I/O operations per execution. Finally, the "k" field shows the average amount of CPU core usage, in 1k units. Finally, the last column shows the command itself. The asterisk (*) denotes that the command fork()ed, but didn't call exec().
SYNTAX: last [ -count] [ username ] [ -f file ]
Although the last command is not part of the "acct" package, it is still worth mentioning here.
[[ exercise: determine which package the last command is part of ]]
The last command displays the login and logout times for all users who've connected to the system. This data is stored in the /var/log/wtmp file.
The "-count" switch limits the number of entries to display. The "username" parameter specifies a particular user whose records should be examined; the default is to display the records for all users.
The "-f file" switch allows you to specify a different file to extract this information from, instead of the default /var/log/wtmp file.
The wtmp file also logs reboot and shutdown commands. You can use the word "reboot" instead of a username to just display these entries.
In addition to the wtmp file, you can also configure your system to use a btmp file. This file maintains a record of all the failed login attempts.
You can use the lastb command to view this file. The lastb command is the same as last, except it has the default file to display as /var/log/btmp instead of wtmp.
You will need to create the file initially for the system to start using it. You can do this with the touch command:
debian:~# lastb lastb: /var/log/btmp: No such file or directory Perhaps this file was removed by the operator to prevent logging lastb info. debian:~# touch /var/log/btmp debian:~# lastb btmp begins Sat Mar 27 05:46:05 2004