لطفا منتظر باشید ...
Recipe 9.39 Displaying All Executed Commands
9.39.1 Problem
You want to display information about executed commands, as recorded
by
process accounting.
9.39.2 Solution
To view the latest accounting
information:
$ lastcomm [command-name] [user-name] [terminal-name]
To view the complete record using lastcomm:
# umask 077 Avoid publicly-readable accounting data in /var/tmp
# zcat `ls -tr /var/account/pacct.*.gz` > /var/tmp/pacct
# cat /var/account/pacct >> /var/tmp/pacct
# lastcomm -f /var/tmp/pacct
# rm /var/tmp/pacct
For more detailed information:
# dump-acct [--reverse] /var/account/pacct
9.39.3 Discussion
The GNU accounting utilities are a collection of programs for viewing
the audit trail. The most important is lastcomm,
which prints the following information for each process:
- The command name , truncated to sixteen
characters. - A set of flags indicating if the command used
superuser privileges, was killed by a signal, dumped core, or ran
after a fork without a subsequent
exec (many daemons do this). - The user who ran the command.
- The controlling terminal for the command (if
any). - The CPU time used by the command.
- The start time of the command.
as determined by the time when each process exited (which is when the
kernel writes the accounting records). Commands can be selected by
combinations of the command name, user, or terminal; see lastcomm(1)
for details.lastcomm can read an alternative log file with the
-f option, but it cannot read from a pipe, because
it needs to seek within the accounting file, so the following will
not work:
Fails:
$ zcat pacct.gz | lastcomm -f /dev/stdin
The kernel records much more information than is displayed by
lastcomm. The undocumented
dump-acct command prints more detailed
information for each process:
- The command name (same as
lastcomm). - The CPU time , split into user and system
(kernel) times, expressed as a number of ticks. The sum of these two
times corresponds to the value printed by
lastcomm. - The elapsed (wall clock) time , also in
ticks. This can be combined with the
start time to determine the exit time. - The numerical user and group IDs . These are
real, not effective IDs. The user ID corresponds to the username
printed by lastcomm. - The average memory usage , in kilobytes.
- A measure of the amount of I/O (always zero for
Version 2.4 or earlier kernels). - The start time , with one second precision
(lastcomm prints the time truncated to only one
minute precision).
|
resolution, with a correspondingly shorter tick. The
tickadj command prints the current value of the
tick, in microseconds:
$ tickadj
tick = 10000
By default, dump-acct lists commands in
chronological order; use the -r or
reverse options for behavior similar to
lastcomm. One or more accounting files must be
explicitly specified on the command line for
dump-acct.
9.39.4 See Also
lastcomm(1).
