I am a new Linux and Unix system user. How do I find previously executed commands by my users on Linux or Unix-like operating systems?
You need to use lastcomm command to display information about previously executed commands on Linux or Unix based systems.
|lastcomm command details|
|Description||Show last commands executed|
|Estimated completion time||5m|
Read from accounting from file
lastcomm prints out information about previously executed commands.
The basic syntax is as follows:
If no command line arguments provided, lastcomm shows information about all the commands recorded during the /var/account/pacct file's lifetime. If called with one or more of commandNameHere, userNameHere, or terminalNameHere, only records containing those items will be displayed.
Open the Terminal app and type the following command to show information about all previously executed commands recorded in the /var/account/pacct:
# lastcomm | more
Understanding lastcomm output
For each line, the following information is displayed by lastcomm on Linux based system:
- The command name of the process.
- Flag as follows:
- S : Command executed by super-user
- F : Command executed after a fork but without a following exec
- C : Command run in PDP-11 compatibility mode (VAX only)
- D : Command terminated with the generation of a core file
- X : Command was terminated with the signal SIGTERM
- Command name of the process.
- The name of the user who ran the process.
- Time the process started.
To show information about commands named rsync executed:
# lastcomm rsync
rsync S root __ 0.03 secs Tue Jan 28 10:30 rsync SF root __ 0.00 secs Tue Jan 28 10:30 rsync S root __ 0.02 secs Tue Jan 28 10:25 rsync SF root __ 0.00 secs Tue Jan 28 10:25 rsync S root __ 0.02 secs Tue Jan 28 10:20 rsync SF root __ 0.00 secs Tue Jan 28 10:20 rsync S root __ 0.03 secs Tue Jan 28 10:15 rsync SF root __ 0.00 secs Tue Jan 28 10:15
To show information about commands executed by the nixcraft user, type:
# lastcomm nixcraft
php-cgi F nixcraft __ 17.86 secs Tue Jan 28 08:41 php-cgi F nixcraft __ 17.97 secs Tue Jan 28 08:41 lighttpd F nixcraft __ 0.00 secs Tue Jan 28 07:09 lighttpd S nixcraft pts/0 0.00 secs Tue Jan 28 07:09 php-cgi F X nixcraft __ 4.83 secs Tue Jan 28 06:30 php-cgi F X nixcraft __ 0.59 secs Tue Jan 28 07:08 php-cgi F X nixcraft __ 24.13 secs Tue Jan 28 06:42 lighttpd F nixcraft __ 116.24 secs Sun Jan 26 07:13 php-cgi F X nixcraft __ 0.81 secs Tue Jan 28 07:02 php-cgi X nixcraft __ 0.06 secs Sun Jan 26 07:13 php-cgi X nixcraft __ 0.21 secs Sun Jan 26 07:13 php-cgi F nixcraft __ 25.91 secs Tue Jan 28 06:36 php-cgi F nixcraft __ 22.05 secs Tue Jan 28 03:15
To show information about commands executed on the pts/0 terminal, enter:
# lastcomm pts/0
Putting it all together
You can combine user-name, terminal and command names to display information about commands named php-cgi executed by the root user on the pts/4 terminal, enter:
# lastcomm php-cgi root pts/4
To find out which users used command 'useradd' and which users were logged into tty5, type:
# lastcomm useradd tty5
To read accounting from file /var/adm/pacct instead of the default accounting file, type:
lastcomm -f /var/adm/pacct
## user name ##
# lastcomm -f /var/adm/pacct nixcraft
## tty/1 terminal ##
lastcomm -f /var/adm/pacct tty/1
This tutorial is also available in a quick video format.
- /var/account/pacct (Linux) or /var/account/acct file.
- lastcomm(1) Linux/Unix command man page