Howto psacct – lastcomm

In continuation to the previous article on “Howto psacct” and “Find / Detect Command History for users“, we are here with a Howto psacct – lastcomm

Howto psacct – lastcomm – History of previously executed command by a user

Find the history of previously executed command by a user

As mentioned in the post “Find / Detect Command History for users“, you can use lastcomm to check the history of commands used by any user on the system. So if want to check the history of commands being executed by user gagan on my system, I will use the following command:

[[email protected] ~]# lastcomm

Output:

su               S     gagan    stderr     0.00 secs Sat Jan 10 18:38
bash                   gagan    stderr     0.11 secs Sat Jan 10 18:38
gconftool-2            gagan    ??         0.00 secs Sat Jan 10 18:39
gconftool-2            gagan    ??         0.00 secs Sat Jan 10 18:39
ac                     gagan    stderr     0.00 secs Sat Jan 10 18:39
ac                     gagan    stderr     0.00 secs Sat Jan 10 18:39
ac                     gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.04 secs Sat Jan 10 18:38
sed                    gagan    stderr     0.01 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
uname                  gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
uname                  gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
dircolors              gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
lesspipe               gagan    stderr     0.00 secs Sat Jan 10 18:38
lesspipe          F    gagan    stderr     0.00 secs Sat Jan 10 18:38
dirname                gagan    stderr     0.00 secs Sat Jan 10 18:38
basename               gagan    stderr     0.00 secs Sat Jan 10 18:38
bogofilter             gagan    ??         0.00 secs Sat Jan 10 18:37
apt-check              gagan    ??         1.62 secs Sat Jan 10 18:36

I will explain what each field mean over here by taking the first line of this output:

su               S     gagan    stderr     0.00 secs Sat Jan 10 18:38

here,

    * su is command name of the process
    * S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:
          o S -- command executed by super-user
          o F -- command executed after a fork but without a following exec
          o D -- command terminated with the generation of a core file
          o X -- command was terminated with the signal SIGTERM
    * gagan the name of the user who ran the process
    * stderr terminal name (it can also be pts/0 or something like it)
    * 0.00 secs - time the process exited
    * And last is the actual time when the command was fired.

Howto psacct – lastcomm – Command Filtering

You can use this command to check using command filtering. So in case you want to find out the users who used the rm command, you can use the following command:

[[email protected] ~]# lastcomm rm

Output:

rm                     gagan    ??         0.00 secs Sat Jan 10 18:50
rm                     gagan    ??         0.00 secs Sat Jan 10 18:50
rm                     gagan    ??         0.00 secs Sat Jan 10 18:50
rm                     gagan    ??         0.00 secs Sat Jan 10 18:50
rm                     smmsp    ??         0.00 secs Sat Jan 10 18:43

Howto psacct – lastcomm – Terminal Name

You can also search accounting logs by using the terminal name

[[email protected] ~]# lastcomm pts/1

No Comments

Post a Comment

Time limit is exhausted. Please reload CAPTCHA.