Question & Answer
Question
How can I determine which user ran a certain Linux command?
Answer
If you are investigating the cause of a server malfunction, try the following steps:
1. In a shell window, run the last command to track the login time of a particular user as well as the duration of each user's session.
last
...
mysurface tty7 :0 Mon Aug 6 20:07 - down (00:00)
reboot system boot 2.6.24.4-64.fc8 Mon Oct 6 20:06 (00:00)
mysurface pts/8 10.168.28.44 Mon Aug 6 17:42 - down (01:58)
mysurface pts/7 :0.0 Mon Aug 6 17:41 - 19:40 (01:59)
mysurface pts/6 :0.0 Mon Aug 6 17:27 - 19:40 (02:13)
mysurface pts/5 :0.0 Mon Aug 6 17:27 - 19:40 (02:13)
mysurface pts/5 :0.0 Mon Aug 6 15:52 - 15:59 (00:07)
...
2. Run the history command to list all of the executed commands. However, if you require the date and time when each of the commands ran, you need to set the HISTTIMEFORMAT environment variable.
3. The HISTTIMEFORMAT variable takes the format string of strftime. Review the strftime manual and choose the timestamp that you want; a typical choice is “%F %T “.
- export HISTTIMEFORMAT="%F %T "
4. Run the history command again, keeping in mind that the timestamp for command lines that executed in previous sessions may not be valid because the time was not tracked.
...
994 2008-10-16 02:27:40 exit
995 2008-10-16 01:12:20 kill -9 34657 996 2008-10-16 01:47:46 vi .bash_profile
997 2008-10-16 01:47:55 history
998 2008-10-16 01:48:03 nzstop
999 2008-10-16 01:48:04 nzspu failover -id 1234
1000 2008-10-16 01:48:09 exit
1001 2008-10-16 02:27:43 history
...
The export is best put into ~/.bash_profile as well as /root/.bash_profile. In case you do not have .bash_profile, you can choose to put into ~/.bashrc.
Historical Number
NZ017005
Was this topic helpful?
Document Information
Modified date:
17 October 2019
UID
swg21570167