lastcomm Command Monitor User Activity Previously Executed Commands

Lastcomm command is used to monitor user activity on Linux. What does it mean.? Everything in Linux which done by running commands so using lastcomm command monitor user activity previously executed commands.

Personally we used this utility in my organization to find. A few times users run some commands which is dangerous to the environment  after running they will not accept, we have to find the proof to say they run. In this article we are going to see how to do user activity monitoring.

Syntax:

lastcomm [Command Name]
lastcomm [User Name]
lastcomm [Terminal]

How to install psacct in RHEL / Centos and Ubuntu

# yum install psacct -y
# sudo apt-get install acct

Lastcomm Command Monitor User Activity Previously Executed Commands

By default psacct service status will be on stopped status, we have to start service so that user activity can be monitored

# systemctl status psacct
# systemctl enable psacct
# systemctl start psacct
psacct service status

psacct service status

[root@ArkitServer ~]# lastcomm

lastcomm command without any arguments will give all the commands which run on system. 

How to understand command output

For each entry the following information is printed:

  • Command name of the process
  • Flags, as recorded by the system accounting routines:
  • S – Command executed by super-user
  • F – Command executed after a fork but without a following exec
  • C – Command run in PDP-11 compatibility mode
  • D – Command terminated with the generation of a core file
  • X – Command was terminated with the signal SIGTERM
  • The name of the user who ran the process
  • Time the process started

lastcomm command output

 

To Fetch the details by user name lastcomm command and provide user name will automatically gives only commands which are run by particular user

# lastcomm arkit

lastcomm username

Know particular command in detailed when it run and run by whom, run terminal details and its duration

# lastcomm ls

lastcomm command

 

Commands / User run commands from particular terminal can also be identified using below

# lastcomm pts/0

lastcomm terminal

Combining all together, in single command also works with lastcomm command. Simple way to get required details

# lastcomm pts/0 arkit ls

Instead of getting the data from direct console output simple look out from file using below command options

# lastcomm -f /var/log/lastlog
# lacomm -f /var/log/lastlog arkit

That’s it about lastcomm command monitor user activity previously executed commands by users. wiki

Related Articles

AIX Commonly used commands

Add user without using useradd command in Linux

Thanks for your wonderful Support and Encouragement