Process Details

Arpit9568

New Member
Credits
19
Hi Guys,

is there any way in Linux(RedHat), we can get the details of the stopped process like which user terminated the process/Reason of termination/ time, and date of termination, etc.

Please help me with this.

Thanks in advance!
 


Alexzee

Well-Known Member
Credits
9,201
Have a look in system log /var/log/syslog and /var/log/messages.


Using a hand full of commands are here in this link:


To see who is logged in open the terminal type w and hit Enter.

To check login history:

  1. /var/run/utmp: It contains information about the users who are currently logged onto the system. Who command is used to fetch the information from the file.
  2. /var/log/wtmp: It contains historical utmp. It keeps the users login and logout history. ...
  3. /var/log/btmp: It contains bad login attempts.
Hope that helps.
 

Arpit9568

New Member
Credits
19
Hi Alexzee, Thanks for the reply!

I got the logs and the details of process but when i checked utmp files to check who certainly terminated it... data isnt the human readable in notepad++. also there is no wtmp and btmp files either. Could you please help me in this ?
 

Alexzee

Well-Known Member
Credits
9,201
Hi Alexzee, Thanks for the reply!

I got the logs and the details of process but when i checked utmp files to check who certainly terminated it... data isnt the human readable in notepad++. also there is no wtmp and btmp files either. Could you please help me in this ?
Are you the administrator?

To be able to read the utmp, wtmp and btmp files you have to run these commands in the terminal to view them.

last -f /var/log/wtmp
{ To open wtmp file and view its content use blow command}

last -f /var/run/utmp
{ To see still logged in users view utmp file use last command}

last -f /var/log/btmp
{ To view btmp file use same command}

Also you can run this command but you will have to run it as root to show you what is in /var/log/btm.
lastb

See this article in this link, it will help you.

Also you may want to look into encyrpted vaults.

This could be a security risk and @KGIII may be able to assist you with this much better than I.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
27,947
If I understand correctly, finding out after the fact is difficult unless you've installed auditing software. Installing auditing software after the fact doesn't help, it needs to be installed ahead of time.

I've played with some auditing stuff, but never actually used it for anything. Well, not the kind of auditing we're talking about here. I have auditing software for my sites, but that's an entirely different bowl of wax.
 

dos2unix

Well-Known Member
Credits
4,548
Take a look at sar, journalctl, and if it happens frequently, something like strace.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Top