Is there a way to see processed that finished running or were killed a given amount of time ago?
For instance, ps -ef will show all running processes, but if a process finishes, it is no longer returned by this command. So for instance if I wanted to see what processes (with their commands) were running an hour ago, is there any command to do that? Or a log of processes no longer in use?
Trying to investigate a blip an hour ago and would like as much information as possible!
Cheers
You can find that information in the system log
/var/log/syslog and /var/log/messages
Depending on what process they were you may be able to find some info about their start time etc.
ex:
Feb 1 12:31:21 centos7 NetworkManager[809]: <info> dhclient started with pid 1319
If you are investigating some resource usage you can log it using pidstat and write it to a log file.
Also some applications write a PID file so for future you can log that as well.
If you don't have things set up ahead of time you won't get what you need, but psacct keeps track of processes, but you have to make sure of storage. Then you would use lastcomm and all kinds of tools to see what was running when, and by what user. Auditing may also too, if you have your rules set up right.
But if you don't have these things set up ahead of time, unless the programs do their own logging, you may not be able to find much information.
