You want to display information about executed commands, as recorded by process accounting.
To view the latest accounting information:
$ lastcomm [command-name] [user-name] [terminal-name]
To view the complete record using lastcomm:
# umask 077 Avoid publicly-readable accounting data in /var/tmp # zcat `ls -tr /var/account/pacct.*.gz` > /var/tmp/pacct # cat /var/account/pacct >> /var/tmp/pacct # lastcomm -f /var/tmp/pacct # rm /var/tmp/pacct
For more detailed information:
# dump-acct [--reverse] /var/account/pacct
The GNU accounting utilities are a collection of programs for viewing the audit trail. The most important is lastcomm, which prints the following information for each process:
The command name, truncated to sixteen characters.
A set of flags indicating if the command used superuser privileges, was killed by a signal, dumped core, or ran after a fork without a subsequent exec (many daemons do this).
The user who ran the command.
The controlling terminal for the command (if any).
The CPU time used by the command.
The start time of the command.
Information about commands is listed in reverse chronological order, as determined by the time when each process exited (which is when the kernel writes the accounting records). Commands can be selected by combinations of the command name, user, or terminal; see lastcomm(1) for details.
lastcomm can read an alternative log file with the -f option, but it cannot read from a pipe, because it needs to seek within the accounting file, so the following will not work:
Fails: $ zcat pacct.gz | lastcomm -f /dev/stdin
The kernel records much more information than is displayed by lastcomm. The undocumented dump-acct command prints more detailed information for each process:
The command name (same as lastcomm).
The CPU time, split into user and system (kernel) times, expressed as a number of ticks. The sum of these two times corresponds to the value printed by lastcomm.
The elapsed (wall clock) time, also in ticks. This can be combined with the start time to determine the exit time.
The numerical user and group IDs. These are real, not effective IDs. The user ID corresponds to the username printed by lastcomm.
The average memory usage, in kilobytes.
A measure of the amount of I/O (always zero for Version 2.4 or earlier kernels).
The start time, with one second precision (lastcomm prints the time truncated to only one minute precision).
Red Hat 8.0 kernels increased HZ to 512 for better time resolution, with a correspondingly shorter tick. The tickadj command prints the current value of the tick, in microseconds:
$ tickadj tick = 10000
By default, dump-acct lists commands in chronological order; use the -r or ?reverse options for behavior similar to lastcomm. One or more accounting files must be explicitly specified on the command line for dump-acct.