Unix / Linux command to see finished or killed processes

linux unix ps

33,748

Solution 1

You can find that information in the system log /var/log/syslog and /var/log/messages

Depending on what process they were you may be able to find some info about their start time etc.

ex:

Feb  1 12:31:21 centos7 NetworkManager[809]: <info> dhclient started with pid 1319

If you are investigating some resource usage you can log it using pidstat and write it to a log file.

Also some applications write a PID file so for future you can log that as well.

Solution 2

If you don't have things set up ahead of time you won't get what you need, but psacct keeps track of processes, but you have to make sure of storage. Then you would use lastcomm and all kinds of tools to see what was running when, and by what user. Auditing may also too, if you have your rules set up right.

But if you don't have these things set up ahead of time, unless the programs do their own logging, you may not be able to find much information.

33,748

Rooster

Basically, I leave chicken ascii art hidden in teh codez for you to find one day. Fun facts More than half the time, taking the time to type out a detailed verbose question on here leads me to the answer myself, which can be really frustrating :D Parting thoughts watch that video down there V V V http://www.youtube.com/watch?v=fySYYYOJ-PY

Updated on September 18, 2022

Comments

Rooster over 1 year

Is there a way to see processed that finished running or were killed a given amount of time ago?

For instance, ps -ef will show all running processes, but if a process finishes, it is no longer returned by this command. So for instance if I wanted to see what processes (with their commands) were running an hour ago, is there any command to do that? Or a log of processes no longer in use?

Trying to investigate a blip an hour ago and would like as much information as possible!

Cheers
- mpez0 over 8 years
  
  Process accounting, if enabled, may help. Look at sa and acct.