How to see what commands a particular login session used?

Question

I have a debian server and I am the adminstrator for the server. The server hasn't been working correctly and I would like to see what commands were executed by the last 3-4 users who logged in (separated by each login session, since the same user logged in more than once). Is there any way I can accomplish this? I am the root user.

Answer 1

I found a decent article that explains various auditing tools, including the one you want, lastcomm. It's part of acct package, so do:

sudo apt-get install acct

The output is very detailed, so you may want to filter on which commands were run:

$ lastcomm --command wajig apt-get
wajig                  tshepang pts/7      0.00 secs Tue Oct  8 22:56
wajig                  tshepang pts/7      0.00 secs Tue Oct  8 22:56
apt-get          S     root     pts/7      0.52 secs Tue Oct  8 22:56
apt-get           F    root     pts/7      0.00 secs Tue Oct  8 22:56
wajig                  tshepang pts/7      0.00 secs Tue Oct  8 22:47
apt-get          S     root     pts/7      0.45 secs Tue Oct  8 22:47
apt-get           F    root     pts/7      0.00 secs Tue Oct  8 22:47

Further info, e.g. the meaning of the fields, can be found on that article.

Answer 2

It depends of the shell, if bash you can try (as root):

cat /home/user_you_are_looking_for/.bash_history