Monitoring openSuse with acct and netacct Tools
Every admin should know and use acct/psacct and net-acct tools to know is the system is secure. You probably will be forced to download these packages because it’s not included in standard software for operating systems. But it’s very useful, especially if you running Linux servers.
acct/psacct includes some commands:
ac prints the statistics of users’ logins/logouts (that is connect time) in hours
lastcomm prints the information of previously executed commands of users
accton turns on/off process for accounting
sa summarizes information of previously executed commands
last/lastb presents the listing of last logged in users
To have any information about users activity on operating system, you need to turn on accounting by running:
linux-7tpy:/home/poganin # accton on
Turning on process accounting, file set to the default ‘/var/account/pacct’.
linux-7tpy:/home/poganin #
To turn accounting off, run:
linux-7tpy:/home/poganin # accton off
Turning off process accounting.
While accounting running, you can use a few commands to get information.
ac
let’s see the total the total statistics of connect time in hours
linux-7tpy:/home/poganin # ac
total 449.96
linux-7tpy:/home/poganin #
let’s see the total login time for the all users in the system
linux-7tpy:/home/poganin # ac -p
poganin 449.99
total 449.99
linux-7tpy:/home/poganin #
let’s the total login time for the user poganin
linux-7tpy:/home/poganin # ac poganin
total 450.01
linux-7tpy:/home/poganin #
sa
let’s see all commands that have been executed by all users in the system
linux-7tpy:/home/poganin # sa
486 6475485.76re 8.76cp 0avio 4852k
8 16018.10re 5.00cp 0avio 48266k chrome*
31 10543.12re 2.92cp 0avio 12607k ***other*
3 0.00re 0.00cp 0avio 546k which
…
2 0.01re 0.00cp 0avio 952k xdg-mime*
2 0.00re 0.00cp 0avio 572k iceauth
2 0.00re 0.00cp 0avio 625k ip
2 0.00re 0.00cp 0avio 669k sed
2 0.00re 0.00cp 0avio 655k readlink
2 0.00re 0.00cp 0avio 712k getent
linux-7tpy:/home/poganin #
let’s see all commands for each user
linux-7tpy:/home/poganin # sa -u
root 0.00 cpu 1226k mem 0 io bash *
man 0.00 cpu 984k mem 0 io man *
root 0.00 cpu 604k mem 0 io kdesu_stub
poganin 0.02 cpu 763k mem 0 io su
poganin 0.04 cpu 13318k mem 0 io QProcessManager *
poganin 0.37 cpu 25024k mem 0 io QInotifyFileSys
poganin 0.00 cpu 919k mem 0 io xdg-su
linux-7tpy:/home/poganin #
lastcomm
let’s see the last executed commands by all users in the system
linux-7tpy:/home/poganin # lastcomm
ip root __ 0.00 secs Sat Dec 28 13:24
gpg2 S root __ 0.05 secs Sat Dec 28 13:24
y2base F root __ 0.00 secs Sat Dec 28 13:24
y2base F root __ 0.00 secs Sat Dec 28 13:24
linux-7tpy:/home/poganin #
let’s see the last executed commands by poganin user
linux-7tpy:/home/poganin # lastcomm poganin
CachePoolWorker X poganin __ 99.60 secs Sat Dec 28 13:26
QProcessManager F X poganin __ 0.04 secs Sat Dec 28 13:06
su S poganin pts/3 0.02 secs Sat Dec 28 13:06
linux-7tpy:/home/poganin #
let’s see the individual use of the man command
linux-7tpy:/home/poganin # lastcomm man
man S man pts/1 0.10 secs Sat Dec 28 13:20
nroff F man pts/1 0.00 secs Sat Dec 28 13:12
locale man pts/1 0.00 secs Sat Dec 28 13:12
tbl man pts/1 0.00 secs Sat Dec 28 13:12
preconv man pts/1 0.00 secs Sat Dec 28 13:12
man F man pts/1 0.00 secs Sat Dec 28 13:12
linux-7tpy:/home/poganin #
last
let’s see the listing of last logged in users
linux-7tpy:/home/poganin # last
poganin pts/1 :0 Sat Dec 28 15:10 still logged in
poganin pts/0 :0 Sat Dec 28 15:08 still logged in
reboot system boot 3.11.6-4-pae Sun Dec 8 08:40 – 09:45 (01:04)
poganin pts/1 :0 Sat Dec 7 22:30 – 22:30 (00:00)
poganin pts/1 :0 Sat Dec 7 22:29 – 22:29 (00:00)
poganin pts/0 :0 Sat Dec 7 21:45 – 22:48 (01:03)
reboot system boot 3.11.6-4-pae Sat Dec 7 21:43 – 22:48 (01:05)
poganin console :0 Sat Dec 7 21:44 – crash (00:00)
reboot system boot 3.11.6-4-pae Sat Dec 7 21:43 – 22:48 (01:05)
poganin pts/3 :0 Sat Dec 7 20:44 – 20:45 (00:00)
poganin pts/1 :0 Sat Dec 7 19:48 – 19:48 (00:00)
poganin pts/0 :0 Sat Dec 7 19:44 – crash (01:59)
reboot system boot 3.11.6-4-pae Sat Dec 7 19:42 – 22:48 (03:06)
poganin console :0 Sat Dec 7 19:43 – crash (00:00)
reboot system boot 3.11.6-4-pae Sat Dec 7 19:42 – 22:48 (03:06)
wtmp begins Sat Nov 23 12:43:31 2013
linux-7tpy:/home/poganin #
let’s see the reboot information for your system
linux-7tpy:/home/poganin # last reboot
reboot system boot 3.11.6-4-pae Sat Dec 28 15:07 – 16:58 (01:50)
reboot system boot 3.11.6-4-pae Sat Dec 28 15:07 – 16:58 (01:50)
reboot system boot 3.11.6-4-pae Sat Dec 28 12:48 – 15:06 (02:18)
reboot system boot 3.11.6-4-pae Sat Dec 28 12:48 – 15:06 (02:18)
reboot system boot 3.11.6-4-pae Sat Dec 28 10:03 – 12:48 (02:44)
reboot system boot 3.11.6-4-pae Sat Dec 28 10:03 – 12:48 (02:44)
reboot system boot 3.11.6-4-pae Fri Dec 27 09:52 – 22:34 (12:41)
reboot system boot 3.11.6-4-pae Fri Dec 27 09:52 – 22:34 (12:41)
reboot system boot 3.11.6-4-pae Fri Dec 27 09:46 – 09:52 (00:05)
wtmp begins Sat Nov 23 12:43:31 2013
linux-7tpy:/home/poganin #
lastb
let’s see all bad login attempts in the system
linux-7tpy:/home/poganin # lastb
poganin pts/1 Wed Dec 25 16:30 – 16:30 (00:00)
poganin pts/1 Mon Dec 16 16:07 – 16:07 (00:00)
poganin pts/3 Wed Dec 4 17:41 – 17:41 (00:00)
poganin pts/1 Wed Dec 4 11:19 – 11:19 (00:00)
poganin tty1 Fri Nov 29 16:28 – 16:28 (00:00)
(unknown tty1 Mon Nov 25 13:04 – 13:04 (00:00)
(unknown tty1 Mon Nov 25 13:04 – 13:04 (00:00)
btmp begins Mon Nov 25 13:04:03 2013
linux-7tpy:/home/poganin #
netacct package use nacctd daemon to logs all traffic.
After installing the package, you can find it in /usr/sbin/nacctd. So you can start the daemon by running:
/usr/sbin/nacctd
The traffic logs are in /var/log/net-acct, so to see them, run
linux-7tpy:/home/poganin # cat /var/log/net-acct
1388241281 6 212.77.101.145 80 192.168.1.100 33121 260 eth0 unknown
1388241281 55 8.0.69.0 0 0.28.80.222 0 24064 wlan0 unknown
linux-7tpy:/home/poganin #
The information in output:
timestamp protocol src-addr src-port dst-addr dst-port count size user interface
It’s all what you need. If you wish to get more, just run
linux-7tpy:/home/poganin # man nacctd
That’s all.