Howto Enable Process Accounting in Ubuntu: Acct will log user process

If you Enable process accounting in your system, it will help you to keep track of your user processes. It is very useful for System administrators for keeping log of your users.

in Ubuntu Process accounting can be done by installing utility called Acct

$ sudo apt-get install acct

$ sudo touch /var/log/pacct - make a log file for process accounting

$ sudo accton /var/log/pacct - enable process accounting on

or

$ /etc/init.d/acct start

For viewing the Process Information Use the following command

Display details about users' connect time

$ ac
ac command displays a report of connect time in hours based on the logins/logouts.

ac - Print total connection time.
ac -dp - display daily (-d) connection totals by person (-p)

Display information about previously executed user commands

$ sudo lastcomm john - will display the commands executed by user john

$ sudo lastcomm rm - search and display log by command rm

$ sudo lastcomm pts/1 - search and display log by terminal name


Print Accounting statistics

$ sudo sa
sa command will display information about previously executed commands, The information can also be summarized on a per-user basis

The output fields are labeled as follows:

cpu sum of system and user time in cpu seconds

re “real time” in cpu seconds

k cpu-time averaged core usage, in 1k units

avio average number of I/O operations per execution

tio total number of I/O operations

k*sec cpu storage integral (kilo-core seconds)

u user cpu time in cpu seconds

s system time in cpu seconds

Display ouput per user
$ sudo sa -u

Display the number of processes and number of CPU minutes on a per-user basis
$sudo sa -m

By using sa command and looking at re, k, cp/cpu time you can find out suspicious activity or user and command who is eating your CPU and Memory . An increase in CPU/memory usage is indication of problem.

see more here http://www.gnu.org/software/acct/manual/html_mono/accounting.html