Monitoring openSuse with acct and netacct Tools

Monitoring openSuse with acct and netacct Tools

Every admin should know and use acct/psacct and net-acct tools to know is the system is secure. You probably will be forced to download these packages because it’s not included in standard software for operating systems. But it’s very useful, especially if you running Linux servers.

acct/psacct includes some commands:

ac  prints the statistics of users’ logins/logouts (that is connect time) in hours

lastcomm prints the information of previously executed commands of users

accton turns on/off process for accounting

sa summarizes information of previously executed commands

last/lastb presents the listing of last logged in users

To have any information about users activity on operating system, you need to turn on accounting by running:

linux-7tpy:/home/poganin # accton on
Turning on process accounting, file set to the default ‘/var/account/pacct’.
linux-7tpy:/home/poganin #

To turn accounting off, run:

linux-7tpy:/home/poganin # accton off
Turning off process accounting.

While accounting running, you can use a few commands to get information.

ac

let’s see the total the total statistics of connect time in hours

linux-7tpy:/home/poganin # ac
total      449.96
linux-7tpy:/home/poganin #

let’s see the total login time for the all users in the system

linux-7tpy:/home/poganin # ac -p
poganin                            449.99
total      449.99
linux-7tpy:/home/poganin #

let’s the total login time for the user poganin

linux-7tpy:/home/poganin # ac poganin
total      450.01
linux-7tpy:/home/poganin #

sa

let’s see all commands that have been executed by all users in the system

linux-7tpy:/home/poganin # sa
486 6475485.76re       8.76cp         0avio      4852k
8   16018.10re       5.00cp         0avio     48266k   chrome*
31   10543.12re       2.92cp         0avio     12607k   ***other*
3       0.00re       0.00cp         0avio       546k   which

2       0.01re       0.00cp         0avio       952k   xdg-mime*
2       0.00re       0.00cp         0avio       572k   iceauth
2       0.00re       0.00cp         0avio       625k   ip
2       0.00re       0.00cp         0avio       669k   sed
2       0.00re       0.00cp         0avio       655k   readlink
2       0.00re       0.00cp         0avio       712k   getent
linux-7tpy:/home/poganin #

let’s see all commands for each user

linux-7tpy:/home/poganin # sa -u
root       0.00 cpu     1226k mem      0 io bash            *
man        0.00 cpu      984k mem      0 io man             *
root       0.00 cpu      604k mem      0 io kdesu_stub
poganin    0.02 cpu      763k mem      0 io su
poganin    0.04 cpu    13318k mem      0 io QProcessManager *
poganin    0.37 cpu    25024k mem      0 io QInotifyFileSys
poganin    0.00 cpu      919k mem      0 io xdg-su
linux-7tpy:/home/poganin #

lastcomm

let’s see the last executed commands by all users in the system

linux-7tpy:/home/poganin # lastcomm
ip                     root     __         0.00 secs Sat Dec 28 13:24
gpg2             S     root     __         0.05 secs Sat Dec 28 13:24
y2base            F    root     __         0.00 secs Sat Dec 28 13:24
y2base            F    root     __         0.00 secs Sat Dec 28 13:24
linux-7tpy:/home/poganin #

let’s see the last executed commands by poganin user

linux-7tpy:/home/poganin # lastcomm poganin
CachePoolWorker      X poganin  __        99.60 secs Sat Dec 28 13:26
QProcessManager   F  X poganin  __         0.04 secs Sat Dec 28 13:06
su               S     poganin  pts/3      0.02 secs Sat Dec 28 13:06
linux-7tpy:/home/poganin #

let’s see the individual use of the man command

linux-7tpy:/home/poganin # lastcomm man
man              S     man      pts/1      0.10 secs Sat Dec 28 13:20
nroff             F    man      pts/1      0.00 secs Sat Dec 28 13:12
locale                 man      pts/1      0.00 secs Sat Dec 28 13:12
tbl                    man      pts/1      0.00 secs Sat Dec 28 13:12
preconv                man      pts/1      0.00 secs Sat Dec 28 13:12
man               F    man      pts/1      0.00 secs Sat Dec 28 13:12
linux-7tpy:/home/poganin #

last

let’s see the listing of last logged in users

linux-7tpy:/home/poganin # last
poganin  pts/1        :0               Sat Dec 28 15:10   still logged in   
poganin  pts/0        :0               Sat Dec 28 15:08   still logged in  
reboot   system boot  3.11.6-4-pae     Sun Dec  8 08:40 – 09:45  (01:04)    
poganin  pts/1        :0               Sat Dec  7 22:30 – 22:30  (00:00)    
poganin  pts/1        :0               Sat Dec  7 22:29 – 22:29  (00:00)    
poganin  pts/0        :0               Sat Dec  7 21:45 – 22:48  (01:03)    
reboot   system boot  3.11.6-4-pae     Sat Dec  7 21:43 – 22:48  (01:05)    
poganin  console      :0               Sat Dec  7 21:44 – crash  (00:00)    
reboot   system boot  3.11.6-4-pae     Sat Dec  7 21:43 – 22:48  (01:05)    
poganin  pts/3        :0               Sat Dec  7 20:44 – 20:45  (00:00)    
poganin  pts/1        :0               Sat Dec  7 19:48 – 19:48  (00:00)    
poganin  pts/0        :0               Sat Dec  7 19:44 – crash  (01:59)    
reboot   system boot  3.11.6-4-pae     Sat Dec  7 19:42 – 22:48  (03:06)    
poganin  console      :0               Sat Dec  7 19:43 – crash  (00:00)    
reboot   system boot  3.11.6-4-pae     Sat Dec  7 19:42 – 22:48  (03:06)    

wtmp begins Sat Nov 23 12:43:31 2013
linux-7tpy:/home/poganin #

let’s see the reboot information for your system

linux-7tpy:/home/poganin # last reboot
reboot   system boot  3.11.6-4-pae     Sat Dec 28 15:07 – 16:58  (01:50)    
reboot   system boot  3.11.6-4-pae     Sat Dec 28 15:07 – 16:58  (01:50)    
reboot   system boot  3.11.6-4-pae     Sat Dec 28 12:48 – 15:06  (02:18)    
reboot   system boot  3.11.6-4-pae     Sat Dec 28 12:48 – 15:06  (02:18)    
reboot   system boot  3.11.6-4-pae     Sat Dec 28 10:03 – 12:48  (02:44)    
reboot   system boot  3.11.6-4-pae     Sat Dec 28 10:03 – 12:48  (02:44)    
reboot   system boot  3.11.6-4-pae     Fri Dec 27 09:52 – 22:34  (12:41)    
reboot   system boot  3.11.6-4-pae     Fri Dec 27 09:52 – 22:34  (12:41)    
reboot   system boot  3.11.6-4-pae     Fri Dec 27 09:46 – 09:52  (00:05)   

wtmp begins Sat Nov 23 12:43:31 2013
linux-7tpy:/home/poganin #

lastb

let’s see all bad login attempts in the system

linux-7tpy:/home/poganin # lastb
poganin  pts/1                         Wed Dec 25 16:30 – 16:30  (00:00)    
poganin  pts/1                         Mon Dec 16 16:07 – 16:07  (00:00)    
poganin  pts/3                         Wed Dec  4 17:41 – 17:41  (00:00)    
poganin  pts/1                         Wed Dec  4 11:19 – 11:19  (00:00)    
poganin  tty1                          Fri Nov 29 16:28 – 16:28  (00:00)    
(unknown tty1                          Mon Nov 25 13:04 – 13:04  (00:00)    
(unknown tty1                          Mon Nov 25 13:04 – 13:04  (00:00)    

btmp begins Mon Nov 25 13:04:03 2013
linux-7tpy:/home/poganin #

netacct package use nacctd daemon to logs all traffic.

After installing the package, you can find it in /usr/sbin/nacctd. So you can start the daemon by running:

/usr/sbin/nacctd

The traffic logs are in /var/log/net-acct, so to see them, run
linux-7tpy:/home/poganin # cat /var/log/net-acct
1388241281      6       212.77.101.145  80      192.168.1.100   33121   260     eth0    unknown                        
1388241281      55      8.0.69.0        0       0.28.80.222     0       24064   wlan0   unknown
linux-7tpy:/home/poganin #

The information in output:

timestamp protocol src-addr src-port dst-addr dst-port count size user interface

It’s all what you need. If you wish to get more, just run

linux-7tpy:/home/poganin # man nacctd

That’s all.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s