I have a linux server and there contains an important script xyz.sh. At times there will be 10-50 users logged into that machine. Is it possible to find who is running the script? Also, is it possible to get a log who all have ran the script xyz.sh; means is it possible to extract a history of script run?
For a simple on-the-fly check about the owners' script while it's runnging you can use:
$ ps -e -o euid,pid,euser,state,command | grep "xyz.sh"|grep -v grep
0 31096 root S /bin/bash ./xyz.sh
1000 31030 ale S /bin/bash ./xyz.sh
It should be possible to log the ps output with this script:
#!/bin/bash
SECONDS=5
TARGET=xyz.sh
OUT=/var/tmp/xyz_history.log
while true
do
sleep $SECONDS
echo "$(date '+TIME:%H:%M:%S';ps -e -opid,user,command|grep $TARGET | grep -v grep)"
done >> $OUT
exit 0
The output:
$ tail -f /var/tmp/xyz_history.log
TIME:14:13:37
496 postgres /bin/bash ./xyz.sh
625 ale /bin/bash ./xyz.sh
32137 root /bin/bash ./xyz.sh
TIME:14:13:38
496 postgres /bin/bash ./xyz.sh
625 ale /bin/bash ./xyz.sh
32137 root /bin/bash ./xyz.sh
TIME:14:13:39
496 postgres /bin/bash ./xyz.sh
625 ale /bin/bash ./xyz.sh
TIME:14:13:40
496 postgres /bin/bash ./xyz.sh
625 ale /bin/bash ./xyz.sh
...
This is not a clean solution of course. If you can install packages on the system and run commands as superuser, a better solution is using lastcomm:
# lastcomm xyz.sh
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 14:12
xyz.sh X root pts/3 0.00 secs Fri Sep 11 14:00
xyz.sh X ale pts/4 0.00 secs Fri Sep 11 14:08
xyz.sh X ale pts/4 0.00 secs Fri Sep 11 14:00
xyz.sh X root pts/4 0.00 secs Fri Sep 11 13:54
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:51
xyz.sh X root pts/3 0.00 secs Fri Sep 11 13:42
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X postgres pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X root pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
It's possible install the command lastcomm from the psacct (centos/redhat) or acct package (debian/ubuntu/OpenSuse).
Related
I was going through logged in user in to my system using who command what i found is very surprising a user named unknown is logged in
Result of command who :
myuser pts/1 Aug 6 20:27 (localhost)
(unknown) :0 Aug 5 16:25 (:0)
myuser pts/0 Aug 6 00:48 (localhost.localdomain)
But when i tried running w it results different:
20:46:53 up 1 day, 23:11, 3 users, load average: 1.00, 1.01, 1.05
USER TTY FROM LOGIN# IDLE JCPU PCPU WHAT
myuser pts/1 localhost 20:27 5.00s 0.20s 0.03s w
myuser pts/0 localhost.locald 00:48 19:57m 0.08s 1.71s python2 -m guake.main
I am neither able to find any user on my machine named unknown. On trying sudo su unknown/"(unknown)"
I tried running last it shows unknown user still logged in
myuser pts/1 localhost Thu Aug 6 20:27 still logged in
myuser pts/2 :pts/1:S.0 Thu Aug 6 20:15 - 20:16 (00:00)
myuser pts/1 localhost Thu Aug 6 20:03 - 20:18 (00:15)
myuser pts/2 :pts/1:S.0 Thu Aug 6 19:49 - 19:49 (00:00)
myuser pts/1 localhost Thu Aug 6 19:47 - 19:49 (00:02)
myuser pts/1 localhost Thu Aug 6 19:37 - 19:46 (00:09)
myuser pts/1 localhost Thu Aug 6 19:33 - 19:37 (00:03)
myuser pts/1 :9 Thu Aug 6 19:32 - 19:33 (00:00)
myuser pts/1 localhost Thu Aug 6 19:26 - 19:32 (00:05)
myuser pts/2 :pts/1:S.0 Thu Aug 6 19:22 - 19:22 (00:00)
myuser pts/1 localhost Thu Aug 6 19:22 - 19:22 (00:00)
myuser pts/2 :pts/1:S.0 Thu Aug 6 19:15 - 19:16 (00:00)
myuser pts/1 localhost Thu Aug 6 19:15 - 19:16 (00:00)
myuser pts/2 :pts/1:S.0 Thu Aug 6 19:13 - 19:13 (00:00)
myuser pts/1 localhost Thu Aug 6 19:13 - 19:13 (00:00)
myuser pts/2 :pts/1:S.0 Thu Aug 6 19:12 - 19:13 (00:00)
myuser pts/2 :pts/1:S.0 Thu Aug 6 19:11 - 19:11 (00:00)
myuser pts/2 :pts/1:S.0 Thu Aug 6 19:10 - 19:10 (00:00)
myuser pts/1 localhost Thu Aug 6 18:37 - 19:13 (00:35)
myuser pts/1 localhost Thu Aug 6 18:17 - 18:21 (00:03)
myuser pts/1 localhost Thu Aug 6 18:09 - 18:13 (00:03)
myuser pts/0 localhost.locald Thu Aug 6 00:48 still logged in
myuser pts/0 localhost.locald Thu Aug 6 00:34 - 00:48 (00:14)
myuser pts/1 :9 Wed Aug 5 23:01 - 23:01 (00:00)
myuser pts/0 localhost.locald Wed Aug 5 22:00 - 00:34 (02:34)
myuser pts/0 localhost Wed Aug 5 21:06 - 21:06 (00:00)
myuser pts/0 localhost Wed Aug 5 20:57 - 20:59 (00:01)
myuser pts/0 localhost Wed Aug 5 20:56 - 20:56 (00:00)
myuser pts/0 localhost Wed Aug 5 20:56 - 20:56 (00:00)
myuser pts/0 :9 Wed Aug 5 20:55 - 20:56 (00:00)
myuser pts/4 localhost Wed Aug 5 20:14 - 20:55 (00:40)
myuser pts/4 localhost Wed Aug 5 20:11 - 20:12 (00:00)
myuser pts/5 localhost Wed Aug 5 19:52 - 19:56 (00:04)
myuser pts/4 localhost Wed Aug 5 19:29 - 19:31 (00:02)
myuser pts/2 localhost Wed Aug 5 18:42 - 19:32 (00:49)
myuser pts/2 localhost Wed Aug 5 18:42 - 18:42 (00:00)
myuser pts/3 :9 Wed Aug 5 18:38 - 18:42 (00:04)
myuser pts/3 localhost Wed Aug 5 16:28 - 16:28 (00:00)
myuser pts/2 :9 Wed Aug 5 16:26 - 16:28 (00:02)
(unknown :0 :0 Wed Aug 5 16:25 still logged in
Any idea how ?
I faced a similar problem some time ago on a Fedora host.
In my case, i found it was the X system that created a wrong entry in /var/run/utmp.
Here the link to the page.
Maybe you are not using Fedora but I suggest to try disable X and check if you still have an (unknown) user logged in.
Hope this helps.
I saw this appearing in a Fedora installation in the past, when I launched the X from a tty (not in init 5)
In red hat, there is a bug open related to this problem here (but maybe you are not even running a red hat based distro)
Take a look on it, there are some possible explanations, but depends on what you are running in your box
I am running a small instance on Amazon EC2 with Ubuntu 12.04 LTS.
I have also setup Cloudwatch Alarm on the instance.
The problem is that CPU utilization goes above 90% sometimes and I get notification alarm for that.
I have set a cronjob on instance which runs at every minute and stores the top 3 running processes based on highest CPU usage in a log file. Cronjob is as below.
* * * * * ps -eo pcpu,pid,args --no-headers | sort -n -r | head -3 | perl -pe 'print scalar(localtime()), " ";' >> ps_log/log
But I can't see any process with high CPU usage when I run this command on cron log.
cat ps_log/log | sort -k 6 -n -r | head -10
Following is the latest result of cron log.
Tue May 13 17:44:01 2014 17.1 10171 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Tue May 13 18:06:01 2014 15.1 10502 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Tue May 13 13:28:01 2014 14.7 6526 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Tue May 13 09:56:01 2014 12.4 3277 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Tue May 13 18:06:01 2014 11.4 10508 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Wed May 14 02:32:36 2014 11.0 16936 ps -eo pcpu,pid,args --no-headers
Tue May 13 13:32:01 2014 10.3 6619 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Tue May 13 18:06:01 2014 10.2 10501 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Tue May 13 11:08:01 2014 9.6 4802 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Wed May 14 02:58:07 2014 8.5 17268 ps -eo pcpu,pid,args --no-headers
I can show the two Alarm results and the result of cronlog at which the Alarm notification came.
Reason for State Change: Threshold Crossed: 1 datapoint (96.72) was greater than or equal to the threshold (80.0).
Timestamp: Tuesday 13 May, 2014 15:42:09 UTC
Cronlog:
Tue May 13 15:39:20 2014 2.0 8481 perl -pe print scalar(localtime()), " ";
Tue May 13 15:39:20 2014 1.6 8478 ps -eo pcpu,pid,args --no-headers
Tue May 13 15:39:20 2014 1.2 8004 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Tue May 13 15:41:08 2014 1.7 8527 /opt/lampp/sbin/mysqld --basedir=/opt/lampp --datadir=/opt/lampp/var/mysql --plugin-dir=/opt/lampp/lib/mysql/plugin --user=nobody --log-error=/opt/lampp/var/mysql/ip-10-178-52-49.err --pid-file=/opt/lampp/var/mysql/ip-10-178-52-49.pid --socket=/opt/lampp/var/mysql/mysql.sock --port=3306
Tue May 13 15:41:08 2014 1.5 8547 ps -eo pcpu,pid,args --no-headers
Tue May 13 15:41:08 2014 0.9 8003 [httpd] <defunct>
Tue May 13 15:43:01 2014 6.0 8578 sort -n -r
Tue May 13 15:43:15 2014 5.0 8577 ps -eo pcpu,pid,args --no-headers
Tue May 13 15:43:24 2014 3.3 8579 head -3
Tue May 13 15:44:21 2014 1.2 8527 /opt/lampp/sbin/mysqld --basedir=/opt/lampp --datadir=/opt/lampp/var/mysql --plugin-dir=/opt/lampp/lib/mysql/plugin --user=nobody --log-error=/opt/lampp/var/mysql/ip-10-178-52-49.err --pid-file=/opt/lampp/var/mysql/ip-10-178-52-49.pid --socket=/opt/lampp/var/mysql/mysql.sock --port=3306
Reason for State Change: Threshold Crossed: 1 datapoint (96.72) was greater than or equal to the threshold (80.0).
Timestamp: Tuesday 13 May, 2014 15:42:09 UTC
Cronlog:
Tue May 13 15:39:20 2014 2.0 8481 perl -pe print scalar(localtime()), " ";
Tue May 13 15:39:20 2014 1.6 8478 ps -eo pcpu,pid,args --no-headers
Tue May 13 15:39:20 2014 1.2 8004 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Tue May 13 15:41:08 2014 1.7 8527 /opt/lampp/sbin/mysqld --basedir=/opt/lampp --datadir=/opt/lampp/var/mysql --plugin-dir=/opt/lampp/lib/mysql/plugin --user=nobody --log-error=/opt/lampp/var/mysql/ip-10-178-52-49.err --pid-file=/opt/lampp/var/mysql/ip-10-178-52-49.pid --socket=/opt/lampp/var/mysql/mysql.sock --port=3306
Tue May 13 15:41:08 2014 1.5 8547 ps -eo pcpu,pid,args --no-headers
Tue May 13 15:41:08 2014 0.9 8003 [httpd] <defunct>
Tue May 13 15:43:01 2014 6.0 8578 sort -n -r
Tue May 13 15:43:15 2014 5.0 8577 ps -eo pcpu,pid,args --no-headers
Tue May 13 15:43:24 2014 3.3 8579 head -3
Tue May 13 15:44:21 2014 1.2 8527 /opt/lampp/sbin/mysqld --basedir=/opt/lampp --datadir=/opt/lampp/var/mysql --plugin-dir=/opt/lampp/lib/mysql/plugin --user=nobody --log-error=/opt/lampp/var/mysql/ip-10-178-52-49.err --pid-file=/opt/lampp/var/mysql/ip-10-178-52-49.pid --socket=/opt/lampp/var/mysql/mysql.sock --port=3306
Tue May 13 15:44:21 2014 0.7 8569 CRON
Tue May 13 15:44:21 2014 0.7 8501 /opt/lampp/bin/httpd -k start -DSSL -DPHP5 -E /opt/lampp/logs/error_log
Tue May 13 15:44:21 2014 1.2 8527 /opt/lampp/sbin/mysqld --basedir=/opt/lampp --datadir=/opt/lampp/var/mysql --plugin-dir=/opt/lampp/lib/mysql/plugin --user=nobody --log-error=/opt/lampp/var/mysql/ip-10-178-52-49.err --pid-file=/opt/lampp/var/mysql/ip-10-178-52-49.pid --socket=/opt/lampp/var/mysql/mysql.sock --port=3306
Tue May 13 15:44:21 2014 0.7 8569 CRON
Now is there any way I can catch the process with high CPU usage? A website is hosted on the instance which has very low traffic.
Any help would be appreciated.
A couple of things:
You may see a disconnect between reported cpu usage on linux in a
virtual machine and what Amazon reports as the real cpu usage. Note
that the latter is correct. Cpu usage stats monitoring via ps and top are
unreliable, a good explanation resides here:
http://www.axibase.com/cloud/2010/07/22/ec2-monitoring-the-case-of-stolen-cpu/
Regardless of the accuracy of the top and ps commands, something is
causing cpu to spike. Ps and top should at least tell you which processes are using the most. Instead of calling ps once a minute which may
miss the offending process, why not run it in a loop from a bash
script with a short loop time (like every 10 seconds)? Redirect it
to a log file and and you should be able to find a ps or top entry
within a few seconds of the alarm. Something like this:
while :
do
date
echo
ps -eo pcpu,pid,args --no-headers
echo
top -c -b -n 1
echo
sleep 10
done
I created a database "my_new_database" and "albums", neither of which I can DELETE. I believe I am still in "ADMIN" party mode. To demonstrate my issue Ill just post some info below.
First here is to show couchdb running ( started using the SystemV script via service )
$ ps aux | grep couch
couchdb 2939 0.0 0.2 108320 1528 ? S 20:45 0:00 /bin/sh -e /usr/bin/couchdb -a /etc/couchdb/default.ini -a /etc/couchdb/local.ini -b -r 0 -p /var/run/couchdb/couchdb.pid -o /dev/null -e /dev/null -R
couchdb 2950 0.0 0.1 108320 732 ? S 20:45 0:00 /bin/sh -e /usr/bin/couchdb -a /etc/couchdb/default.ini -a /etc/couchdb/local.ini -b -r 0 -p /var/run/couchdb/couchdb.pid -o /dev/null -e /dev/null -R
couchdb 2951 4.8 2.3 362168 14004 ? Sl 20:45 0:00 /usr/lib64/erlang/erts-5.8.5/bin/beam -Bd -K true -A 4 -- -root /usr/lib64/erlang -progname erl -- -home /usr/local/var/lib/couchdb -- -noshell -noinput -sasl errlog_type error -couch_ini /etc/couchdb/default.ini /etc/couchdb/local.ini /etc/couchdb/default.ini /etc/couchdb/local.ini -s couch -pidfile /var/run/couchdb/couchdb.pid -heart
couchdb 2959 0.0 0.0 3932 304 ? Ss 20:45 0:00 heart -pid 2951 -ht 11
ec2-user 2963 0.0 0.1 103424 828 pts/1 S+ 20:45 0:00 grep couch
Here is the output of the ".couch" databases I have ( shown for user ownership and permissions)
$ ls -lat /var/lib/couchdb
-rw-r--r-- 1 couchdb couchdb 23 Oct 11 20:45 couch.uri
drwxr-xr-x 3 couchdb couchdb 4096 Oct 11 19:35 .
-rw-r--r-- 1 couchdb couchdb 79 Oct 11 19:35 database2.couch
-rwxrwxrwx 1 couchdb couchdb 79 Oct 11 19:00 my_new_database.couch
-rw-r--r-- 1 couchdb couchdb 4182 Oct 4 21:52 albums.couch
-rw-r--r-- 1 couchdb couchdb 79 Oct 4 21:42 albums-backup.couch
-rw-r--r-- 1 couchdb couchdb 4185 Oct 4 21:30 _users.couch
drwxr-xr-x 18 root root 4096 Oct 4 20:58 ..
drwxr-xr-x 2 root root 4096 Oct 4 18:34 .delete
Here is my first attempt to DELETE
$ curl -X DELETE http://127.0.0.1:5984/my_new_database
{"error":"unauthorized","reason":"You are not a server admin."}
And my second attempt using an authenticated user.
$ curl -X DELETE http://brian:brian#127.0.0.1:5984/my_new_database
{"error":"error","reason":"eacces"}
The username/password of brian/brian was added to the [admin] section of /etc/couchdb/local.ini
Here is the output of my "_users" file. The "key" and "id" fields confuse me.
$ curl -X GET http://brian:brian#127.0.0.1:5984/_users/_all_docs
{"total_rows":1,"offset":0,"rows":[
{"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-c44fb12a2676d481d235523092e0cec4"}}
]}
Have you restarted your CouchDB after you added to user to local.ini? If so, has the password in the file been hashed or is it readable?
Generally your file permissions look OK, so I can't tell what exactly causes the error. For a quick fix you can simply delete the .couch file, though.
This question is really old, but since I got bitten by this today and this is where Google led me, I thought I'd share my solution for others that stumble here. In my case, my Couch lib directory (/usr/local/var/lib/couchdb for me) had a directory called .delete that was owned by root. Changing the owner to couchdb let me delete databases again.
we would need to know how much memory and cpu time a matlab process had used with all of it's spawned threads. If I understand it correctly, all the threads will pop up as new processes with new process-ids but the CMD name will remain the same.
so I thought about creating a demon which append the usage in every n sec:
ps -o %cpu,%mem,cmd -C MATLAB | grep "[0-9]+" >> matlab_log
and later counting and summing up the ratios multiplied by the demon tick time.
I wonder if there is an easier way, or I missing something, or simply just exist some tool more handy for this job?
Cheers
If you install the BSD Process Accounting utilities (package acct on Debian and Ubuntu) you can use the sa(8) utility to summarize executions or give you semi-detailed execution logs:
$ lastcomm
...
man F X sarnold pts/3 0.00 secs Fri May 4 16:21
man F X sarnold pts/3 0.00 secs Fri May 4 16:21
vim sarnold pts/3 0.05 secs Fri May 4 16:20
sa sarnold pts/3 0.00 secs Fri May 4 16:20
sa sarnold pts/3 0.00 secs Fri May 4 16:20
bzr sarnold pts/3 0.99 secs Fri May 4 16:19
apt-get S root pts/1 0.44 secs Fri May 4 16:18
dpkg root pts/1 0.00 secs Fri May 4 16:19
dpkg root pts/1 0.00 secs Fri May 4 16:19
dpkg root pts/1 0.00 secs Fri May 4 16:19
apt-get F root pts/1 0.00 secs Fri May 4 16:19
...
$ sa
633 15.22re 0.09cp 0avio 6576k
24 8.51re 0.03cp 0avio 6531k ***other*
2 0.31re 0.02cp 0avio 10347k apt-get
3 0.02re 0.02cp 0avio 9667k python2.7
18 0.04re 0.01cp 0avio 5444k dpkg
2 0.01re 0.01cp 0avio 13659k debsums
...
The format of the acct file is documented in acct(5), so you could write your own programs to parse the files if none of the standard tools lets you express the queries you want.
Probably the largest downside to the BSD process accounting utilities is that the kernel will only update the process accounting log when processes exit, because many of the summary numbers are only available once another process wait(2)s for it -- so currently running processes are completely overlooked by the utilities.
These utilities may be sufficient though; these utilities is how compute centers billed their clients, back when compute centers were popular...
You can also use top:
top -b -n 1 | grep MATLAB
14226 user 39 19 2476m 1.4g 26m S 337.2 9.2 24:44.60 MATLAB
25878 user 39 19 2628m 1.6g 26m S 92.0 10.6 21:07.36 MATLAB
14363 user 39 19 2650m 1.4g 26m S 79.7 9.1 23:58.38 MATLAB
14088 user 39 19 2558m 1.4g 26m S 61.3 9.1 25:14.53 MATLAB
14648 user 39 19 2629m 1.6g 26m S 55.2 10.5 22:03.20 MATLAB
14506 user 39 19 2613m 1.5g 26m S 49.0 9.4 22:32.47 MATLAB
14788 user 39 19 2599m 1.6g 26m S 49.0 10.3 20:44.78 MATLAB
25650 user 39 19 2608m 1.6g 26m S 42.9 10.2 25:08.38 MATLAB
or to get fieldnames too:
top -b -n 1 | head -n 7 | tail -n 1; top -b -n 1 | grep MATLAB
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
14226 user 39 19 2476m 1.4g 26m S 337.2 9.2 24:44.60 MATLAB
25878 user 39 19 2628m 1.6g 26m S 92.0 10.6 21:07.36 MATLAB
14363 user 39 19 2650m 1.4g 26m S 79.7 9.1 23:58.38 MATLAB
14088 user 39 19 2558m 1.4g 26m S 61.3 9.1 25:14.53 MATLAB
14648 user 39 19 2629m 1.6g 26m S 55.2 10.5 22:03.20 MATLAB
14506 user 39 19 2613m 1.5g 26m S 49.0 9.4 22:32.47 MATLAB
14788 user 39 19 2599m 1.6g 26m S 49.0 10.3 20:44.78 MATLAB
25650 user 39 19 2608m 1.6g 26m S 42.9 10.2 25:08.38 MATLAB
Is it possible to get the start time of an old running process? It seems that ps will report the date (not the time) if it wasn't started today, and only the year if it wasn't started this year. Is the precision lost forever for old processes?
You can specify a formatter and use lstart, like this command:
ps -eo pid,lstart,cmd
The above command will output all processes, with formatters to get PID, command run, and date+time started.
Example (from Debian/Jessie command line)
$ ps -eo pid,lstart,cmd
PID CMD STARTED
1 Tue Jun 7 01:29:38 2016 /sbin/init
2 Tue Jun 7 01:29:38 2016 [kthreadd]
3 Tue Jun 7 01:29:38 2016 [ksoftirqd/0]
5 Tue Jun 7 01:29:38 2016 [kworker/0:0H]
7 Tue Jun 7 01:29:38 2016 [rcu_sched]
8 Tue Jun 7 01:29:38 2016 [rcu_bh]
9 Tue Jun 7 01:29:38 2016 [migration/0]
10 Tue Jun 7 01:29:38 2016 [kdevtmpfs]
11 Tue Jun 7 01:29:38 2016 [netns]
277 Tue Jun 7 01:29:38 2016 [writeback]
279 Tue Jun 7 01:29:38 2016 [crypto]
...
You can read ps's manpage or check Opengroup's page for the other formatters.
The ps command (at least the procps version used by many Linux distributions) has a number of format fields that relate to the process start time, including lstart which always gives the full date and time the process started:
# ps -p 1 -wo pid,lstart,cmd
PID STARTED CMD
1 Mon Dec 23 00:31:43 2013 /sbin/init
# ps -p 1 -p $$ -wo user,pid,%cpu,%mem,vsz,rss,tty,stat,lstart,cmd
USER PID %CPU %MEM VSZ RSS TT STAT STARTED CMD
root 1 0.0 0.1 2800 1152 ? Ss Mon Dec 23 00:31:44 2013 /sbin/init
root 5151 0.3 0.1 4732 1980 pts/2 S Sat Mar 8 16:50:47 2014 bash
For a discussion of how the information is published in the /proc filesystem, see
https://unix.stackexchange.com/questions/7870/how-to-check-how-long-a-process-has-been-running
(In my experience under Linux, the time stamp on the /proc/ directories seem to be related to a moment when the virtual directory was recently accessed rather than the start time of the processes:
# date; ls -ld /proc/1 /proc/$$
Sat Mar 8 17:14:21 EST 2014
dr-xr-xr-x 7 root root 0 2014-03-08 16:50 /proc/1
dr-xr-xr-x 7 root root 0 2014-03-08 16:51 /proc/5151
Note that in this case I ran a "ps -p 1" command at about 16:50, then spawned a new bash shell, then ran the "ps -p 1 -p $$" command within that shell shortly afterward....)
As a follow-up to Adam Matan's answer, the /proc/<pid> directory's time stamp as such is not necessarily directly useful, but you can use
awk -v RS=')' 'END{print $20}' /proc/12345/stat
to get the start time in clock ticks since system boot.1
This is a slightly tricky unit to use; see also convert jiffies to seconds for details.
awk -v ticks="$(getconf CLK_TCK)" 'NR==1 { now=$1; next }
END { printf "%9.0f\n", now - ($20/ticks) }' /proc/uptime RS=')' /proc/12345/stat
This should give you seconds, which you can pass to strftime() to get a (human-readable, or otherwise) timestamp.
awk -v ticks="$(getconf CLK_TCK)" 'NR==1 { now=$1; next }
END { print strftime("%c", systime() - (now-($20/ticks))) }' /proc/uptime RS=')' /proc/12345/stat
Updated with some fixes from Stephane Chazelas in the comments; thanks as always!
If you only have Mawk, maybe try
awk -v ticks="$(getconf CLK_TCK)" -v epoch="$(date +%s)" '
NR==1 { now=$1; next }
END { printf "%9.0f\n", epoch - (now-($20/ticks)) }' /proc/uptime RS=')' /proc/12345/stat |
xargs -i date -d #{}
1 man proc; search for starttime.
ls -ltrh /proc | grep YOUR-PID-HERE
For example, my Google Chrome's PID is 11583:
ls -l /proc | grep 11583
dr-xr-xr-x 7 adam adam 0 2011-04-20 16:34 11583
$ ps -p 182454 -o lstart=
Mon Oct 18 17:26:44 2021
But can I get the answer in epoch seconds?
ps -eo pid,cmd,lstart | grep YOUR-PID-HERE
ps -eo pid,etime,cmd|sort -n -k2
use the command ls -ld /proc/process_id where process_id can be find using top command