Monitoring User Activity
Monitoring User Activity
System access can be monitored interactively using a number of measures. For example, syslog entries can be automatically viewed in real time using this command:
$ tail -f /var/adm/messages
However, most administrators want to view interactively what remote users are doing on a system at any time. We will examine two methods here for viewing remote user activity. The command who displays who is currently logged into the system. The output of who displays the username, connecting line, date of login, idle time, process ID, and a comment. Here’s an example output:
$ who root console Nov 22 12:39 natashia pts/0 Nov 19 21:05 (client.site.com)
This command can be automated to update the list of active users. An alternative to who is the w command, which displays a more detailed summary of the current activity on the system, including the current process name for each user. The header output from w shows the current time, the uptime of the current system, and the number of users actively logged into the system. The average system load is also displayed as a series of three numbers at the end of the w header, indicating the average number of jobs in the run queue for the previous 1, 5, and 15 minutes. In addition to the output generated by who, the w command displays the current foreground process for each user, which is usually a shell. For example, the following command shows that the root user has an active shelltool running under Open Windows, while the user natashia is running the Cornell shell:
7:15pm up 1 day(s), 5:11, 2 users, load average: 1.00, 1.00, 1.01 User tty login@ idle JCPU PCPU what root console Thu12pm 3days 6 6 shelltool natashia pts/12 Thu11am 8:45 9 /usr/local/bin/tcsh
The w and who commands are useful tools for getting an overview of current usage patterns on any Solaris system. Another useful command is last, which displays historical usage patterns for the current system in a sequential format:
$ last natashia pts/4 hp Wed Apr 11 19:00 still logged in root console :0 Tue Apr 10 20:11 still logged in natashia pts/2 nec Tue Apr 10 19:17 - 19:24 (00:06) natashia pts/6 austin Tue Apr 10 15:53 - 15:53 (00:00) root console :0 Tue Apr 10 14:24 - 16:25 (02:01) reboot system boot Tue Apr 10 14:04 natashia pts/5 hp Thu Apr 5 21:38 - 21:40 (00:01) natashia pts/5 hp Thu Apr 5 21:22 - 21:37 (00:15) natashia pts/5 10.64.18.1 Thu Apr 5 19:30 - 20:00 (00:30) natashia pts/5 hp Thu Apr 5 19:18 - 19:29 (00:11) root console :0 Thu Apr 5 19:17 - 22:05 (4+02:48) reboot system boot Thu Apr 5 19:14 natashia pts/5 hp Tue Apr 3 16:14 - 18:26 (02:11) natashia pts/5 hp Tue Apr 3 08:48 - 10:35 (01:47) root console :0 Tue Apr 3 08:45 - 22:01 (13:15) reboot system boot Tue Apr 3 08:43 root console :0 Fri Mar 30 18:54 - 19:27 (00:32) reboot system boot Fri Mar 30 18:46 natashia pts/6 hp Tue Mar 27 20:46 - 21:51 (01:04) root console :0 Tue Mar 27 19:50 - 21:51 (02:01) reboot system boot Tue Mar 27 19:48 root console :0 Mon Mar 26 17:43 - 17:47 (00:04)
An alternative view of system usage by application is provided by lastcomm. It shows the list of commands executed in reverse chronological order, as shown in this example:
$ lastcomm man pwatters pts/2 0.02 secs Mon Sep 2 20:24 sh pwatters pts/2 0.01 secs Mon Sep 2 20:24 more pwatters pts/2 0.03 secs Mon Sep 2 20:24 nsgmls pwatters pts/2 0.84 secs Mon Sep 2 20:24 sh pwatters pts/2 0.01 secs Mon Sep 2 20:24 mv pwatters pts/2 0.01 secs Mon Sep 2 20:24 sh pwatters pts/2 0.01 secs Mon Sep 2 20:24 col pwatters pts/2 0.02 secs Mon Sep 2 20:24 nroff pwatters pts/2 0.04 secs Mon Sep 2 20:24 eqn pwatters pts/2 0.01 secs Mon Sep 2 20:24 tbl pwatters pts/2 0.01 secs Mon Sep 2 20:24 cat pwatters pts/2 0.01 secs Mon Sep 2 20:24 sh pwatters pts/2 0.02 secs Mon Sep 2 20:24 sgml2rof pwatters pts/2 0.01 secs Mon Sep 2 20:24 instant pwatters pts/2 0.05 secs Mon Sep 2 20:24 sh pwatters pts/2 0.01 secs Mon Sep 2 20:24 grep pwatters pts/2 0.01 secs Mon Sep 2 20:24 lastcomm pwatters pts/2 0.16 secs Mon Sep 2 20:24
