17.2 BSD-Style Accounting: FreeBSD, Linux, and AIX

Administering BSD-style accounting involves several tasks:

  • Enabling the accounting system and arranging for it to be started automatically at boot time.

  • Periodically merging raw accounting records into the summary data files.

  • Running accounting reports.

As indicated, BSD-style accounting uses some additional accounting summary files, located in the same directory as the primary accounting file. These files store processed, summarized versions of the accumulated raw accounting data. They are maintained by the sa command and are useful in keeping the size of the accounting file to a manageable level:


The standard accounting summary file


The user-based accounting summary file

17.2.1 Enabling and Disabling Accounting

The accton command controls the current state of a BSD-style accounting facility. The command enables accounting when an accounting file is specified as its argument (its location in the filesystem varies). Without an argument, the command disables accounting. Once the command is executed, accounting records will be written automatically to the accounting file.

The one tricky aspect of accton is that any raw accounting data file you specify must already exist, because the command will not create it. Accordingly, commands such as the following are used to start the accounting system from one of the system boot scripts:

return="done" echo -n "Starting process accounting: " test -e /var/account/pacct || touch /var/adm/pacct /usr/sbin/accton /var/adm/pacct || return="failed" echo "$return"

These commands first check that the raw accounting data file exists, creating it if necessary, and then start the accounting system via accton.

Once accounting is installed on FreeBSD and SuSE Linux systems, you can automatically activate it at boot time by editing the appropriate setting in the system's boot script configuration file, as described in Table 17-1.

The current Red Hat Linux version of the accounting package does not include a boot script. However, it is easy to create one from a boot script template (see Chapter 4), using the commands above as a model for the script's start function and the bare accton command for the stop function. Once you've written the script, you will need to place it into /etc/init.d and create links to the appropriate rcn.d directory for it to be run at boot time.

17.2.2 Merging Accounting Records into the Summary Files

The accounting file will grow without bounds if allowed to do so. Its contents are designed to be processed and merged into the accumulated accounting summary files with the sa command. When invoked with its -s option, the sa command processes raw accounting records and places condensed summary information into the summary files. Here is an example of its use:

# cd /var/adm                     Move to accounting directory. # /usr/sbin/accton                Briefly disable accounting. # mv pacct pacct.sav              Rename  raw accounting file. # cat /dev/null > pacct           Recreate raw accounting file. # /usr/sbin/accton pacct          Restart accounting. # sa -s pacct.sav > /dev/null     Merge data into standard summary file. # rm -f pacct.sav                 Delete saved accounting records.

The accounting file is renamed prior to invoking sa so that processes that terminate during processing are recorded. The output from sa is piped to /dev/null to discard the report it generates. Alternatively, it could be sent to a file.

A script could be created to run these commands, so that they could be executed as needed by the system administrator or automatically via the cron facility.

17.2.3 After a Crash

The accounting system is designed to handle system shutdowns and boots automatically. However, special steps must be taken in the event of a system crash. For the accounting system to process data for processes that were running when a system crash occurred, the administrator must manually close their outstanding accounting records. These records must be closed before accounting is started. If accounting is started automatically in the system boot scripts (as it usually is), closing incomplete accounting records needs to occur before the accounting startup scripts are executed. The easy way to accomplish this is to boot to single-user mode after the crash.

The accounting file may be saved by renaming it using a mv command, as in the following example:

# mv /var/adm/acct /var/adm/acct.sav # touch /var/adm/acct

The second command recreates the accounting file, readying it for new records when accounting is started in /etc/rc.

At this point, the system may be booted multiuser. Once booting is complete, the following commands close the accounting records that were pending at the time of the crash:

# sa -s /var/adm/acct.sav >/dev/null # rm -f /var/adm/acct.sav

These commands update the summary files and then delete the saved accounting file.

17.2.4 Image-Based Resource Use Reporting: sa

The sa utility produces system usage reports based on the image (command) that was executed. That is, in most cases, its statistics are organized and presented by image name, rather than by user or project. sa reads the raw accounting file and its summary file (savacct) to accumulate its data. Without any options, sa produces a report like the following (output has been shortened):

# sa 11238    412355.91re  5017.62cp    14avio  148k  login 4299       1782.32re  1000.28cp   122avio   73k  ld 12648      1335.62re   639.28cp    12avio   26k  as 6489       1121.66re   541.82cp    50avio   10k  makemake.c 4           627.93re   258.43cp     3avio    0k  splice 225        6623.90re   248.56cp  2545avio    8k  find

In this default output, the image name appears in the final (rightmost) column. The numerical fields in sa's output are identified by their suffixes, which have the following meanings:


Number of times called

cp, cpu

CPU time (system + user) in minutes


Elapsed time in minutes


Average number of I/O operations per execution


CPU time-averaged memory use in KB


Aggregate memory use in KB-seconds


Total I/O operations for all executions


System CPU time in minutes


User CPU time in minutes

Not all data items appear in every report. The first five items appear in the default output. The other items appear in reports generated by some of sa's many options.

sa's output may be sorted in a number of different ways by selecting an appropriate option:


Average total CPU time per execution


Average number of disk I/O operations


Total number of disk I/O operations


CPU time-averaged memory usage


CPU-storage integral


Number of calls


Reverse sorting order

The -D option produces a report containing the total I/O use by the command; lines are sorted according to this total:

# sa -D  225        6623.90re   248.56cp  572608tio   8k  find  4299       1782.32re  1000.28cp  522580tio  73k  ld  9205      58785.98re   188.08cp  497421tio   9k  makenv  56         9610.25re    80.79cp  495507tio  18k  buildsystem  20           50.27re    14.79cp  369163tio  11k  ncheck

Here is the output from the -b option, which sorts by average CPU time:

# sa -b -r  3          3843.47re     7.91cp 47323avio    1k  update* 2             8.75re     7.39cp  1055avio    2k  code  11          294.67re    50.19cp  5961avio   14k  fsck  4          6680.53re   162.02cp    26avio   20k  timed*  4           627.93re   258.43cp     3avio    0k  splice

As illustrated, the -r option may be used to reverse the order of the sort (low to high instead of high to low).

The -m option produces a listing of the total number of processes and CPU time for each user:

# sa -m  root     247648  19318.90cpu  7698005tio  3793802k*sec  chavez        2      3.67cpu        0tio  1013391k*sec  harvey        4      7.33cpu        0tio  2024939k*sec  daemon     7799   2742.86cpu  1616886tio   488234k*sec  wang          6   2956.44cpu  1067648tio   406004k*sec

Use the -u option to dump out all accounting records in a user-based format.

The -l option may be used to separate user and system time in sa's output:

# sa -l  11238    412355.91re  4691.13u    326.49s  14avio 148k  ccom7  4299       1782.32re   861.52u    138.76s 122avio  73k  ld  12648      1335.62re   567.13u     72.15s  12avio  26k  as  4           627.93re   252.13u      6.30s   3avio   0k  splice

Include -c to show times as percentages of the total rather than raw values.

You can limit sa's output to the most frequently run commands using its -v and -f options. For example, the report from the following sa command will include only those commands executed more that 100 times:

# sa -f -v 100

Alternate summary files may be specified with the -S and -U options, where -S indicates an alternative to savacct, and -U specifies an alternative to the per-user summary file usracct; both should be followed by a pathname. sa's reports may be limited to the raw accounting file with the -i option.

The Linux version of sa provides a few additional options. The most useful adds an additional data sorting capability: --sort-real-time. This option sorts records based on the elapsed time field.

17.2.5 Connect Time Reporting: ac

The ac utility reports on user connect time. It gets its data from the wtmp file, containing records on user logins and logouts. Without any options, ac displays the total connect time (in hours) for all users for the lifetime of the wtmp file:

# ac          total  5501.06

The command may also be followed by one or more usernames, in which case the total for those users is displayed:

# ac chavez wang fine          total  1588.65

The -p option breaks down connect time by user:

# ac -p          ng         30.61          chavez    685.25          harvey      0.04          wang      170.77          sysadmin   44.84          fine      732.78

Usernames may be specified with -p to limit ac's scope:

# ac -p chavez wang fine          chavez    685.25          wang      170.77          fine      732.78          total    1588.79

The -d option breaks down the connect time by date, summed over all specified users (the default is everyone):

# ac -d  Sep  1   total     77.32  Sep  2   total    228.78  Sep  3   total    260.82 # ac -d chavez wang fine  Sep  1   total     11.83  Sep  2   total     20.36  Sep  3   total     41.00

Using -d and -p together produces a summary of login activity, broken down by user and by date; from an accounting point of view, this is likely to be ac's only useful mode:

# ac -d -p chavez wang          chavez    16.07          wang       4.55  Sep  1   total     20.62          chavez    15.87          wang      20.15  Sep  2   total     36.01          chavez    22.82          wang      17.68  Sep  3   total     40.50

ac -d -p would produce a similar listing, including all users.

Connect times for an individual user might exceed 24 hours in a single day; this is easily accounted for by the fact that users may be logged on more than once simultaneously, via multiple windows, terminal sessions, and the like. Indeed, the ubiquitous prevalence of such practices makes connect-time accounting all but useless.

The Linux version of ac tries to be more careful about reconstructing connect-time data when the raw records include orphan records caused by system crashes or reboots, flaky data (which does occur from time to time), and the like. It provides the --compatibility option, which causes the command to revert to the standard dubious behavior.

Essential System Administration
Essential System Administration, Third Edition
ISBN: 0596003439
EAN: 2147483647
Year: 2002
Pages: 162

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net