Process Details

Arpit9568 · May 13, 2021

Hi Guys,

is there any way in Linux(RedHat), we can get the details of the stopped process like which user terminated the process/Reason of termination/ time, and date of termination, etc.

Please help me with this.

Thanks in advance!

Alexzee · May 13, 2021

Have a look in system log /var/log/syslog and /var/log/messages.

Unix / Linux command to see finished or killed processes

Is there a way to see processed that finished running or were killed a given amount of time ago? For instance, ps -ef will show all running processes, but if a process finishes, it is no longer re...

serverfault.com

Using a hand full of commands are here in this link:

How to Kill a Process in Linux with Kill, Pkill and Killall | PhoenixNAP KB

Linux unresponsive? Learn how to kill a process in lLinux, the easy way. Guide to the Kill, Pkill and Killall Commands. Terminate a process with an easy command!

phoenixnap.com

To see who is logged in open the terminal type w and hit Enter.

To check login history:

/var/run/utmp: It contains information about the users who are currently logged onto the system. Who command is used to fetch the information from the file.
/var/log/wtmp: It contains historical utmp. It keeps the users login and logout history. ...
/var/log/btmp: It contains bad login attempts.

Hope that helps.

Arpit9568 · May 17, 2021

Hi Alexzee, Thanks for the reply!

I got the logs and the details of process but when i checked utmp files to check who certainly terminated it... data isnt the human readable in notepad++. also there is no wtmp and btmp files either. Could you please help me in this ?

Alexzee · May 18, 2021

Arpit9568 said:
Hi Alexzee, Thanks for the reply!

I got the logs and the details of process but when i checked utmp files to check who certainly terminated it... data isnt the human readable in notepad++. also there is no wtmp and btmp files either. Could you please help me in this ?

Are you the administrator?

To be able to read the utmp, wtmp and btmp files you have to run these commands in the terminal to view them.

last -f /var/log/wtmp
{ To open wtmp file and view its content use blow command}

last -f /var/run/utmp
{ To see still logged in users view utmp file use last command}

last -f /var/log/btmp
{ To view btmp file use same command}

Also you can run this command but you will have to run it as root to show you what is in /var/log/btm.
lastb

See this article in this link, it will help you.

What is the purpose of utmp, wtmp and btmp files in Linux – The Geek Diary

In a Linux system, everything is logged in a log file under the directory called /var/log. This directory contains logs related to different services and applications. In this directory, we have some files such as utmp, wtmp and btmp. Unlike the system log files and the authentication log files...

www.thegeekdiary.com

Also you may want to look into encyrpted vaults.

This could be a security risk and @KGIII may be able to assist you with this much better than I.

KGIII · May 18, 2021

If I understand correctly, finding out after the fact is difficult unless you've installed auditing software. Installing auditing software after the fact doesn't help, it needs to be installed ahead of time.

I've played with some auditing stuff, but never actually used it for anything. Well, not the kind of auditing we're talking about here. I have auditing software for my sites, but that's an entirely different bowl of wax.

dos2unix · May 18, 2021

Take a look at sar, journalctl, and if it happens frequently, something like strace.

Process Details

Arpit9568

New Member

Alexzee

Well-Known Member

Unix / Linux command to see finished or killed processes

How to Kill a Process in Linux with Kill, Pkill and Killall | PhoenixNAP KB

Arpit9568

New Member

Alexzee

Well-Known Member

What is the purpose of utmp, wtmp and btmp files in Linux – The Geek Diary

KGIII

Super Moderator

dos2unix

Well-Known Member

Members online

Latest posts