Introduction
If you need to monitor linux user activity and profile how people use a server, the GNU **acct** (also packaged as **psacct** on some distributions) provides small, reliable, terminal-based tools that record logins, commands, CPU/time and I/O. This guide walks you from prerequisites to installation, enabling accounting, key commands (
ac
,
lastcomm
,
sa
), verification and troubleshooting so you can start auditing users quickly.
Prerequisites
- You must have root privileges or sudo access. sudo runs commands as root — it's required to install packages and manipulate system accounting files.
- A supported Linux distribution with package manager access (apt, yum/dnf, pacman).
- Disk space and log rotation for **/var/account/pacct** and rotation for **/var/log/wtmp** to avoid large growth.
Installation
Install the package (Debian/Ubuntu example). The package name is **acct** on most distributions; some older docs call it **psacct**.
sudo apt-get install acct
Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: acct 0 upgraded, 1 newly installed, 0 to remove and 12 not upgraded. Need to get 54.2 kB of archives. After this operation, 190 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 acct amd64 7.6.0-1 [54.2 kB] Fetched 54.2 kB in 0s (350 kB/s) Selecting previously unselected package acct. (Reading database ... 123456 files and directories currently installed.) Preparing to unpack .../acct_7.6.0-1_amd64.deb ... Unpacking acct (7.6.0-1) ... Setting up acct (7.6.0-1) ... Processing triggers for man-db (2.9.1-1) ...
Explanation: sudo elevates your privileges so the package manager can install system software. Installing **acct** provides the commands used below (accton, ac, sa, lastcomm).
Setup: Enable and start accounting
After installation, enable and start the accounting service (systemd example). Enabling ensures accounting starts on boot.
sudo systemctl status acct
● acct.service - GNU process accounting
Loaded: loaded (/lib/systemd/system/acct.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2026-03-02 09:12:34 UTC; 2min 15s ago
Main PID: 1234 (acctd)
Tasks: 1 (limit: 4567)
Memory: 1.2M
CGroup: /system.slice/acct.service
└─1234 /usr/sbin/acctd --startExplanation: Checking status with
systemctl status
shows whether the accounting daemon is running and enabled. If not active, start and enable it as below.
sudo systemctl enable acct
Created symlink /etc/systemd/system/multi-user.target.wants/acct.service → /lib/systemd/system/acct.service.
sudo systemctl start acct
Explanation:
systemctl enable
creates the boot-time symlink and
systemctl start
launches the service immediately. Starting the service registers accounting so **/var/account/pacct** can be written.
Some setups use the older tool accton to toggle accounting on the kernel accounting file:
sudo accton on
Explanation:
accton on
tells the accounting subsystem to begin recording into the default file (usually **/var/account/pacct**). If the command returns no output it succeeded; you can later stop accounting with
sudo accton off
.
Verify accounting files
Confirm the main accounting file exists and has sensible permissions. The default path is **/var/account/pacct**.
ls -l /var/account/pacct
-rw-r----- 1 root root 1048576 Mar 2 09:12 /var/account/pacct
Explanation: This lists the accounting file and its ownership. Only root should normally be allowed to read it; tools like
sa
and
lastcomm
require root to get full data.
Basic commands and examples
Here are the core tools you'll use to monitor linux user activity with **acct** / **psacct**. For each command I show a realistic sample output and explain what to look for.
ac — connection time summaries
ac --individual-totals
seth 20.16 larry 43.60 curly 10.32 moe 35.11
Explanation:
ac
reports login session durations based on **/var/log/wtmp**. The
--individual-totals
flag prints hours per user. Use
--file
to point to an alternate wtmp file. This helps answer “how active is each user?”
ac --daily-totals
Mar 01 total 22.61 Mar 02 total 73.60 Mar 03 total 84.00 Today total 62.13
Explanation:
--daily-totals
shows total login hours per day — useful for spotting unusually busy days.
ac -d
Mar 02 total 73.60 Mar 03 total 84.00
Explanation:
ac -d
is a shorthand for daily totals.
lastcomm — list the last commands
sudo lastcomm --strict-match --user curly --tty pts/2
basename curly pts/2 0.00 secs Tue Jan 28 15:41 ps curly pts/2 0.01 secs Tue Jan 28 15:41 bash F curly pts/2 0.00 secs Tue Jan 28 15:41 sed curly pts/2 0.00 secs Tue Jan 28 15:41
Explanation:
lastcomm
shows commands recorded by the accounting subsystem.
--strict-match
avoids fuzzy matches,
--user
filters by username and
--tty
limits to a terminal. Because logging in spawns many processes, you may need to filter results (for example using
grep
or limiting by time).
lastcomm seth
bash seth pts/0 0.02 secs Tue Mar 2 09:05 ls seth pts/0 0.00 secs Tue Mar 2 09:05 man seth pts/0 0.05 secs Tue Mar 1 17:42
Explanation: Running
lastcomm user
without extra filters prints recent commands attributed to that user.
sa — summarize process accounting
sudo sa --print-users
root 0.00 cpu 579k mem 0 io accton root 0.03 cpu 64064k mem 0 io sudo seth 0.00 cpu 56752k mem 0 io bash * seth 0.00 cpu 54080k mem 0 io sed larry 0.00 cpu 56752k mem 0 io bash curly 0.00 cpu 56752k mem 0 io bash moe 0.00 cpu 56752k mem 0 io bash seth 0.00 cpu 54080k mem 0 io ls
Explanation:
sa --print-users
prints each recorded command with its user. This is helpful for auditing what commands have been run and by whom.
sudo sa --user-summary
1065 2169.59re 0.97cp 0avio 49373k seth 812 1117.11re 0.83cp 0avio 58163k root 199 1052.42re 0.14cp 0avio 21314k larry 41 0.00re 0.00cp 0avio 19403k curly 1 0.06re 0.00cp 0avio 6706k moe 12 0.00re 0.00cp 0avio 25888k
Explanation:
sa --user-summary
aggregates accounting per user: counts, real/CPU time, I/O and memory metrics. Options like
--sort-tio
and
--sort-cpu-avmem
let you sort by different metrics; use
--reverse-sort
to invert order.
sudo sa -m
cmdname calls real time cpu time ave memory kcore-secs bash 812 1117.11re 0.83cp 56752k 46000k sshd 199 1052.42re 0.14cp 64064k 12800k ls 121 12.34re 0.01cp 54080k 5400k
Explanation:
sa -m
prints a process-oriented summary (per command), showing how often commands ran and resource usage. This highlights which commands consume the most time or memory.
Verification and regular maintenance
Typical verification steps after enabling accounting:
- Check service:
sudo systemctl status acct
(see earlier example)
- Confirm **/var/account/pacct** and **/var/log/wtmp** exist and are being updated (use
ls -l
and
stat
if necessary).
- Set up logrotate for **/var/account/pacct** to compress and rotate old accounting files; the file can grow large.
Troubleshooting
1) No output from ac or lastcomm
Cause: Either accounting is not enabled, or the accounting files (**/var/account/pacct** or **/var/log/wtmp**) are missing or empty.
Fix:
- Ensure accounting is on:
sudo accton on
(no output on success).
- Start the service:
sudo systemctl start acct
(no output; check status with
sudo systemctl status acct
).
- Create an empty **wtmp** if needed:
sudo touch /var/log/wtmp
-rw-r--r-- 1 root root 0 Mar 2 09:20 /var/log/wtmp
Explanation: Some tools (like
ac
) read **/var/log/wtmp** for login durations; if wtmp doesn't exist, create it and the init/login processes will populate it.
2) Permission denied reading **/var/account/pacct**
Cause: Only root can read the raw accounting file by default.
Fix: Run accounting summaries with
sudo
(examples above use
sudo sa
,
sudo lastcomm
). You can configure a restricted reporting workflow using scripts that run as root and export sanitized reports for non-root admins.
3) Accounting file grows too large
Fix: Configure logrotate for **/var/account/pacct** and compress/rotate periodically. Example logrotate snippet (place in /etc/logrotate.d/):
/var/account/pacct {
weekly
rotate 12
compress
copytruncate
missingok
notifempty
}/var/account/pacct rotated, compressing and retaining 12 weeks
Explanation: Rotating prevents disk exhaustion;
copytruncate
lets the file be truncated while acct writes.
User profiling and automation
Combine **acct** tools with scripts, cron jobs, or SIEM pipelines to produce weekly summaries, alert on unusual CPU/I/O by user, or integrate with centralized logs. Because **acct** is terminal-based and standard text output, it is easy to parse with awk, Python, or other tools for custom dashboards.
Security and privacy considerations
Recording user commands and resource usage may have privacy and legal ramifications. Before enabling system-wide accounting, inform stakeholders and define retention policies. Keep **/var/account/pacct** access restricted to authorized admins.
Conclusion
GNU **acct** / **psacct** provides compact, dependable tooling to monitor linux user activity, record login durations, list executed commands, and summarize resource usage with
ac
,
lastcomm
, and
sa
. Install **acct**, enable accounting with
accton
or the system service, verify **/var/account/pacct** is being written, and set up rotation. Use the examples above to start auditing users and building automated reports that help secure and optimize your systems.
Remember: monitoring linux user activity is powerful for troubleshooting and security — apply it responsibly and automate summaries for easier, repeatable auditing.
