Recipe 9.40 Parsing the Process Accounting Log
9.40.1 ProblemYou want to extract detailed information such as exit codes from the process accounting log. 9.40.2 SolutionRead and unpack the accounting records with this Perl script: #!/usr/bin/perl use POSIX qw(:sys_wait_h); use constant ACORE => 0x08; # for $flag, below $/ = \64; # size of each accounting record while (my $acct = <>) { my ( $flag, $uid, $gid, $tty, $btime, $utime, $stime, $etime, $mem, $io, $rw, $minflt, $majflt, $swaps, $exitcode, $comm) = unpack("CxS3LS9x2LA17", $acct); printf("%s %-16s", scalar(localtime($btime)), $comm); printf(" exited with status %d", WEXITSTATUS($exitcode)) if WIFEXITED($exitcode); printf(" was killed by signal %d", WTERMSIG($exitcode)) if WIFSIGNALED($exitcode); printf(" (core dumped)") if $flag & ACORE; printf("\n"); } exit(0); 9.40.3 DiscussionEven the dump-acct command [Recipe 9.39] misses some information recorded by the kernel, such as the exit code. This is really the status that would have been returned by wait(2), and includes the specific signal for commands that were killed. To recover this information, attack the accounting records directly with a short Perl script. Our recipe shows how to read and unpack the records, according to the description in /usr/include/sys/acct.h. When we run the script, it produces a chronological report that describes how each process expired, e.g: Sun Feb 16 21:23:56 2003 ls exited with status 0 Sun Feb 16 21:24:05 2003 sleep was killed by signal 2 Sun Feb 16 21:24:14 2003 grep exited with status 1 Sun Feb 16 21:25:05 2003 myprogram was killed by signal 7 (core dumped) 9.40.4 See Alsoacct(5). The C language file /usr/include/sys/acct.h describes the accounting records written by the kernel. |
EAN: 2147483647
Pages: 247