psacct Linux Utility for user activity

The psacct utility provides a way that you can monitor user or some other system activities on your Linux server. It’s handy to have when several users would have an account and access to the server such as a system that allows devs and other administrators to manage the server or add content. In addition you can also see what applications are doing.

The psacct or acct on Debian based systems contains the following sub utilities that you can use, these are:

  • sa – summarises accounting information of previous commands executed
  • lastcomm – provides information about previously executed commands
  • ac – provides statistics about users connect time


Redhat/Centos Based:

 yum install psacct 

Debian/Ubuntu Based:

 apt-get install acct 

The service may need to be started and/or you should check if it’s starting on boot with a chkconfig for Redhat/Centos systems.

 service psacct start 

or depending on your server’s distro. 

 service acct start 

sa –  summarizes accounting information:

sa summarizes information about previously executed commands as recorded in the acct file. In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used. The information can also be summarised on a per-user basis; sa will save this information into a file named usracct.

Some quick commands using sa:

  • sa -a  —> will list all names and force sa not to sort unprintable characters.
  • sa -u  —> will list users for each command with the userid and command name.
  • sa -m —> will list user summary with the number of processes and number of                          CPU minutes on a per-user basis.
  • sa -c —> will list percentages of total time for the user commands, system and real time values.

lastcomm – info about previous executed commands:

If no arguments are specified, lastcomm will display info about all of the commands in acct (the record file). If called with one or more of command-name, username, or terminal-name, only records containing those items will be displayed. For example, to find out which users used command `a.out’ and which users were logged into `tty0′, type:
lastcomm a.out tty0

Some quick commands using lastcomm:

  • lastcomm —> will display a list of commands executed by users of the server
  • lastcomm keith –> will display a list of commands executed by a user named keith
  •  lastcomm rm –> will display each use of the rm command, might be very useful

ac – provides statistics about users connect time

ac provides a report of connect time (in hours) based on the logins/logouts of the server and provides this as a total.

Some quick commands using ac:

  • ac –> provides the total hours
  • ac -d –> provides totals for each day
  • ac -p –> provides time totals for users
  • ac -p keith –> provides time totals for the user keith

There is a lot to psacct and it’s sub utilities, and it’s not full proof, however you could look at ways of locking this down further from tampering and create scripts with cron jobs to automate the checking process!

Bookmark the permalink.