1. Introduction

Maintaining process history in Linux helps us understand system activity, troubleshoot issues, and monitor resource usage. Whether diagnosing crashes or analyzing performance, knowing how processes run and terminate is essential for system stability. For instance, we may need to check past processes to find the cause of unexpected slowdowns or failures.

In this tutorial, we’ll first cover the basics of Linux processes and their different states. Then, we’ll explore various tools and methods for effectively maintaining process history.

2. Understanding Linux Processes and States

Every command or application running on a Linux system is a process. While some processes run in the foreground, others operate in the background without direct interaction. In both cases, the Linux kernel assigns each process a unique Process ID (PID) and manages its execution.

A process can be in one of several states depending on its activity:

• Running: actively executing instructions
• Sleeping: idle, waiting for resources or input
• Stopped: execution is paused
• Zombie: completed, but still holds a PID until its parent retrieves the exit status

By understanding these states, we can manage processes effectively, stop unresponsive tasks, and optimize system performance.

3. Using the acct Utility

The acct (Process Accounting) utility logs executed processes, which we can use to track past system activities. It records who ran each command, when it happened, and the amount of system resources used.

3.1. Installing acct

By default, most Linux systems don’t include acct, so we install it manually.

To install the utility on a Debian-based distribution, we employ the native package manager:

$ sudo apt install acctCopy

Once installed, we start and enable the relevant service to begin process tracking:

$ sudo systemctl start acct
$ sudo systemctl enable acct
Copy

We can verify if acct is running via its status:

$ sudo systemctl status acct
Copy

If the status is active, the service is working correctly, and process accounting has started. Otherwise, we may need to restart the service or check system logs for issues.

3.2. Viewing Command History With lastcomm

The lastcomm command displays all previously executed commands recorded by acct:

$ lastcommCopy

We can also filter results by providing a username:

$ lastcomm baeldungCopy

Here, the commands run by the user baeldung should appear.

Additionally, we can check if a specific command was executed in the past by providing a command name:

$ lastcomm lsCopy

The output displays the details of all instances where the ls command was run.

Notably, due to the lax syntax, accepting both user and command names, care should be taken when interpreting the results.

3.3. Summarizing Usage Statistics With sa

Unlike the lastcomm command, the sa (Summary Accounting) command generates a summary report of command usage over time.

For that, sa processes data collected by acct and provides execution statistics:

$ saCopy

A general summary shows how many times each command has run and how much CPU time was used.

4. Using the ps Command

The ps command shows a snapshot of currently running processes on the system. In particular, the ps command is useful for checking which programs are active, their PIDs, and what resources they are using:

$ psCopy

By default, the standalone command shows only the processes associated with the current terminal session. As a result, it includes only basic details like PID, TTY, time, and the command name.

4.1. Display All Active Processes

To get a full list of running processes along with detailed information, we add several options:

$ ps auxCopy

In this case, a shows all processes, u takes all user data into account, and x includes processes without a TTY, which normally don’t appear.

Furthermore, we also get additional details like CPU usage, memory usage, and the exact command used to launch the process.

4.2. List All Process IDs

We can use -e flag if we need a simpler list of all running processes with their PIDs and commands only:

$ ps -eCopy

It skips extra details like CPU or memory usage.

4.3. Detailed View of Each Process

To get more detailed information, including parent process IDs and how processes are related, we can use the -f option:

$ ps -fCopy

This command helps identify how a process was started and which other processes are linked to it.

4.4. Filter by User

Similarly, to view only the processes started by a specific user, we can use the -u option:

$ ps -u rootCopy

Here, we can see only the processes started by the user we specify.

5. Using the top Command

The top command provides real-time monitoring of system processes. Unlike ps, which captures a static snapshot, top continuously updates, showing active processes and their resource consumption:

$ topCopy

The above command opens an interactive interface with a list of processes, sorted by CPU usage by default. The top utility also shows overall system stats like uptime, load average, CPU load, memory usage, and swap usage.

5.1. View Processes for a Specific User

To narrow down the output, we can use the -u option and only see processes run by a specific user:

$ top -u rootCopy

The command filters the process list, showing only those initiated by the mentioned user.

5.2. Sort by Memory Usage

By default, top sorts processes by CPU usage. To sort by memory consumption instead, we use a key combination:

Shift + MCopy

This way, we update the sorting, showing processes by memory consumption instead.

5.3. Change Refresh Interval

To modify how often the display updates, we can use the -d option, followed by the number of seconds:

$ top -d 5
Copy

The command changes the refresh rate to once every 5 seconds for better monitoring.

5.4. Search for a Process

To find a specific process by name, we use another key combination:

Shift + LCopy

At this point, a prompt opens where we can type the process name we want to locate.

6. Using the atop Command

The atop command is an advanced monitoring tool that provides detailed information about system and process-level resource usage. Unlike top, which shows a live snapshot, atop can log system activity at regular intervals. This enables us to review past events and diagnose performance issues later.

6.1. Installing atop

First, we need to install atop:

$ sudo apt install atopCopy

Once installed, atop should be ready to use.

6.2. Running atop in Real Time

To start monitoring system performance in real-time, we simply run the command:

$ atopCopy

We get a detailed interface like top, but with additional metrics including CPU, memory, secondary storage, and network usage.

6.3. Enabling Past Logging

To maintain a record of past activity, atop can run as a background service and save logs automatically by enabling the logging service:

$ sudo systemctl enable --now atopCopy

When we execute this command, atop begins recording system snapshots every 10 minutes by default.

The resulting logs are saved in /var/log/atop/, and each log file is named by date, for example, atop_20250423.

6.4. Viewing Past System Activity

To read a specific log file, we can use the -r option:

$ atop -r /var/log/atop/atop_20250423Copy

This command opens an interactive viewer similar to real-time mode, but it loads past data instead.

7. Conclusion

In this article, we explored various methods for tracking process history and monitoring system performance in Linux.

To begin with, we first covered the acct utility. Later, we discussed the ps, top, and atop commands, showing how each can be used to troubleshoot issues, analyze resource usage, and maintain system stability.

In conclusion, the ability to review historical data with acct and atop adds an extra layer of insight, helping to identify and address problems that may not be immediately visible.