Administering BSD-style accounting involves several tasks:
As indicated, BSD-style accounting uses some additional accounting summary files, located in the same directory as the primary accounting file. These files store processed, summarized versions of the accumulated raw accounting data. They are maintained by the sa command and are useful in keeping the size of the accounting file to a manageable level:
17.2.1 Enabling and Disabling Accounting
The accton command controls the current state of a BSD-style accounting facility. The command enables accounting when an accounting file is specified as its argument (its location in the filesystem varies). Without an argument, the command disables accounting. Once the command is executed, accounting records will be written automatically to the accounting file.
The one tricky aspect of accton is that any raw accounting data file you specify must already exist, because the command will not create it. Accordingly, commands such as the following are used to start the accounting system from one of the system boot scripts:
return="done" echo -n "Starting process accounting: " test -e /var/account/pacct || touch /var/adm/pacct /usr/sbin/accton /var/adm/pacct || return="failed" echo "$return"
These commands first check that the raw accounting data file exists, creating it if necessary, and then start the accounting system via accton.
Once accounting is installed on FreeBSD and SuSE Linux systems, you can automatically activate it at boot time by editing the appropriate setting in the system's boot script configuration file, as described in Table 17-1.
The current Red Hat Linux version of the accounting package does not include a boot script. However, it is easy to create one from a boot script template (see Chapter 4), using the commands above as a model for the script's start function and the bare accton command for the stop function. Once you've written the script, you will need to place it into /etc/init.d and create links to the appropriate rcn.d directory for it to be run at boot time.
17.2.2 Merging Accounting Records into the Summary Files
The accounting file will grow without bounds if allowed to do so. Its contents are designed to be processed and merged into the accumulated accounting summary files with the sa command. When invoked with its -s option, the sa command processes raw accounting records and places condensed summary information into the summary files. Here is an example of its use:
# cd /var/adm Move to accounting directory. # /usr/sbin/accton Briefly disable accounting. # mv pacct pacct.sav Rename raw accounting file. # cat /dev/null > pacct Recreate raw accounting file. # /usr/sbin/accton pacct Restart accounting. # sa -s pacct.sav > /dev/null Merge data into standard summary file. # rm -f pacct.sav Delete saved accounting records.
The accounting file is renamed prior to invoking sa so that processes that terminate during processing are recorded. The output from sa is piped to /dev/null to discard the report it generates. Alternatively, it could be sent to a file.
A script could be created to run these commands, so that they could be executed as needed by the system administrator or automatically via the cron facility.
17.2.3 After a Crash
The accounting system is designed to handle system shutdowns and boots automatically. However, special steps must be taken in the event of a system crash. For the accounting system to process data for processes that were running when a system crash occurred, the administrator must manually close their outstanding accounting records. These records must be closed before accounting is started. If accounting is started automatically in the system boot scripts (as it usually is), closing incomplete accounting records needs to occur before the accounting startup scripts are executed. The easy way to accomplish this is to boot to single-user mode after the crash.
The accounting file may be saved by renaming it using a mv command, as in the following example:
# mv /var/adm/acct /var/adm/acct.sav # touch /var/adm/acct
The second command recreates the accounting file, readying it for new records when accounting is started in /etc/rc.
At this point, the system may be booted multiuser. Once booting is complete, the following commands close the accounting records that were pending at the time of the crash:
# sa -s /var/adm/acct.sav >/dev/null # rm -f /var/adm/acct.sav
These commands update the summary files and then delete the saved accounting file.
17.2.4 Image-Based Resource Use Reporting: sa
The sa utility produces system usage reports based on the image (command) that was executed. That is, in most cases, its statistics are organized and presented by image name, rather than by user or project. sa reads the raw accounting file and its summary file (savacct) to accumulate its data. Without any options, sa produces a report like the following (output has been shortened):
# sa 11238 412355.91re 5017.62cp 14avio 148k login 4299 1782.32re 1000.28cp 122avio 73k ld 12648 1335.62re 639.28cp 12avio 26k as 6489 1121.66re 541.82cp 50avio 10k makemake.c 4 627.93re 258.43cp 3avio 0k splice 225 6623.90re 248.56cp 2545avio 8k find
In this default output, the image name appears in the final (rightmost) column. The numerical fields in sa's output are identified by their suffixes, which have the following meanings:
Not all data items appear in every report. The first five items appear in the default output. The other items appear in reports generated by some of sa's many options.
sa's output may be sorted in a number of different ways by selecting an appropriate option:
The -D option produces a report containing the total I/O use by the command; lines are sorted according to this total:
# sa -D 225 6623.90re 248.56cp 572608tio 8k find 4299 1782.32re 1000.28cp 522580tio 73k ld 9205 58785.98re 188.08cp 497421tio 9k makenv 56 9610.25re 80.79cp 495507tio 18k buildsystem 20 50.27re 14.79cp 369163tio 11k ncheck
Here is the output from the -b option, which sorts by average CPU time:
# sa -b -r 3 3843.47re 7.91cp 47323avio 1k update* 2 8.75re 7.39cp 1055avio 2k code 11 294.67re 50.19cp 5961avio 14k fsck 4 6680.53re 162.02cp 26avio 20k timed* 4 627.93re 258.43cp 3avio 0k splice
As illustrated, the -r option may be used to reverse the order of the sort (low to high instead of high to low).
The -m option produces a listing of the total number of processes and CPU time for each user:
# sa -m root 247648 19318.90cpu 7698005tio 3793802k*sec chavez 2 3.67cpu 0tio 1013391k*sec harvey 4 7.33cpu 0tio 2024939k*sec daemon 7799 2742.86cpu 1616886tio 488234k*sec wang 6 2956.44cpu 1067648tio 406004k*sec
Use the -u option to dump out all accounting records in a user-based format.
The -l option may be used to separate user and system time in sa's output:
# sa -l 11238 412355.91re 4691.13u 326.49s 14avio 148k ccom7 4299 1782.32re 861.52u 138.76s 122avio 73k ld 12648 1335.62re 567.13u 72.15s 12avio 26k as 4 627.93re 252.13u 6.30s 3avio 0k splice
Include -c to show times as percentages of the total rather than raw values.
You can limit sa's output to the most frequently run commands using its -v and -f options. For example, the report from the following sa command will include only those commands executed more that 100 times:
# sa -f -v 100
Alternate summary files may be specified with the -S and -U options, where -S indicates an alternative to savacct, and -U specifies an alternative to the per-user summary file usracct; both should be followed by a pathname. sa's reports may be limited to the raw accounting file with the -i option.
The Linux version of sa provides a few additional options. The most useful adds an additional data sorting capability: --sort-real-time. This option sorts records based on the elapsed time field.
17.2.5 Connect Time Reporting: ac
The ac utility reports on user connect time. It gets its data from the wtmp file, containing records on user logins and logouts. Without any options, ac displays the total connect time (in hours) for all users for the lifetime of the wtmp file:
# ac total 5501.06
The command may also be followed by one or more usernames, in which case the total for those users is displayed:
# ac chavez wang fine total 1588.65
The -p option breaks down connect time by user:
# ac -p ng 30.61 chavez 685.25 harvey 0.04 wang 170.77 sysadmin 44.84 fine 732.78
Usernames may be specified with -p to limit ac's scope:
# ac -p chavez wang fine chavez 685.25 wang 170.77 fine 732.78 total 1588.79
The -d option breaks down the connect time by date, summed over all specified users (the default is everyone):
# ac -d Sep 1 total 77.32 Sep 2 total 228.78 Sep 3 total 260.82 # ac -d chavez wang fine Sep 1 total 11.83 Sep 2 total 20.36 Sep 3 total 41.00
Using -d and -p together produces a summary of login activity, broken down by user and by date; from an accounting point of view, this is likely to be ac's only useful mode:
# ac -d -p chavez wang chavez 16.07 wang 4.55 Sep 1 total 20.62 chavez 15.87 wang 20.15 Sep 2 total 36.01 chavez 22.82 wang 17.68 Sep 3 total 40.50
ac -d -p would produce a similar listing, including all users.
Connect times for an individual user might exceed 24 hours in a single day; this is easily accounted for by the fact that users may be logged on more than once simultaneously, via multiple windows, terminal sessions, and the like. Indeed, the ubiquitous prevalence of such practices makes connect-time accounting all but useless.
The Linux version of ac tries to be more careful about reconstructing connect-time data when the raw records include orphan records caused by system crashes or reboots, flaky data (which does occur from time to time), and the like. It provides the --compatibility option, which causes the command to revert to the standard dubious behavior.