This document contains information on various aspects of system accounting for all levels of AIX Version 3.2 and AIX Version 4.
System accounting, which comes from BDS or System V, is documented in the AIX System Management Guide.
Additional information can also be found in the following book:
UNIX Administration Guide for System V
(Chapter 7 is on System Accounting)
by Rebecca Thomas and Rik Sarrow
Publisher: Prentice and Hall
ISBN 0-13-942889-5
If the accounting software is not installed, it will need to be installed before setting up system accounting. The LPP is bosext2.acct.obj for AIX 3.2 and fileset bos.acct for AIX 4.
Accounting generates daily reports in /var/adm/acct/sum. The file names are rprtMMDD, where MM is the month and DD is the date.
The first of each month, a monthly report is created and the daily reports are removed. This is in /var/adm/acct/fiscal and is called fiscrptMM, where MM is the month. The report is for the previous month. For example, fiscrpt02 is the monthly report for January.
The reports contain the following information:
Follow the steps in the separate fax documents entitled "Set Up of System Accounting in AIX 3.2" or "Set Up of System Accounting in AIX 4.x", according to your AIX level. The steps include:
The System Management Guide briefly describes each file in these directories.
Accounting will cause /var to grow. Running accounting with defaults takes one physical partition (4MB) in /var, this may be increased to at least two physical partitions (8MB). Monitor /var to see if the size will need to be increased. Accounting is not the only reason that /var may be full; the queueing system is also in /var and may especially take up space if a lot of printing is done.
Each command that is run adds 40 bytes to the pacct file. So, 25000 commands a day requires 1 MB of free space in /var for the pacct files. This space is freed nightly.
The daily reports could require anywhere from 1-3 MB throughout the month. This space is freed at the end of each month. The monthly reports should require less than 1 MB of free space throughout the year. These numbers will vary with the amount of activity on the system.
Logins and logouts are logged in /var/adm/wtmp. It is cleared out nightly by runacct. If accounting is not running, this file will grow. This file does not have to exist if accounting is not running, but it is useful. To see an ASCII version of wtmp, /etc/utmp, or /etc/security/failedlogin, use the fwtmp command.
All daily process activity is logged in /var/adm/pacct. Each process completed increases this file by 40 bytes. For heavily used systems, this file can use large amounts of space in /var.
/usr/sbin/acct/ckpacct checks the size of /var/adm/pacct and the amount of free space in /var. It is run from cron and should be run at intervals appropriate for the system.
If /var/adm/pacct is over 1000 blocks, ckpacct will switch the pacct file. This means it will copy pacct to pacct# (# starts with 1 and increases to the next unused number) and clear out pacct again.
If the free space in /var falls below 500 blocks, then ckpacct turns off accounting until space is made available. This will result in loss of accounting data during the period that accounting is turned off. ckpacct will turn accounting on again when more space is available. There is no notification unless the MAILCOM variable is set.
MAILCOM="mail root adm"This can be set in the ckpacct and runacct scripts or in the /etc/environment file. If MAILCOM is set in both places the setting in ckpacct and runacct is used.
Accounting is kicked off by cron, usually during the late hours of the day. This occurs if the process is set up according to the set up fax mentioned in the "How System Accounting is Initiated" section of this document. The scripts that are usually run at night are:
See "About the Accounting Programs" for more information about these scripts.
/var/adm/acct/nite/accterr contains the most system accounting error information.
/var/adm/acct/nite/active contains information about the steps that have been completed during the runacct script.
/var/adm/acct/nite/statefile lists the current state of runacct.
It is possible mail will not be received from cron because cron redirects output to the accterr file or to /dev/null; however, if the cron jobs are set up not to do this, there will be mail from cron.
Also, mail will not be received from the runacct script unless the MAILCOM line is uncommented in /usr/sbin/acct/runacct.
dodisk performs disk usage accounting on all file systems that have account = true in /etc/filesystems. dodisk creates a file for use by runacct called /var/adm/acct/nite/dacct. The dodisk command needs to be started at least 10-30 minutes before runacct to allow it to complete before runacct starts. If the dacct file isn't finished before runacct tries to process it, there will be bad data in the daily reports.
ckpacct checks /var to make sure it doesn't run out of space. It also makes sure that /var/adm/pacct doesn't get too large to be manageable, by renaming pacct to pacctxx and starting a new pacct file when pacct grows over 500 disk blocks. The normal interval for running ckpacct is once an hour. It should be run more often on systems that are heavily used. The more commands that are run, the faster the pacct files grow.
runacct performs daily accounting and generates daily reports in the /var/adm/acct/sum directory. This command is divided into STATEs (procedures). If the process breaks, it can be started again at the correct STATE. Parameters should not be applied when using runacct unless trying to start the process over from a failed attempt. See the following section for more information.
monacct cleans up daily reports and creates a monthly report in /var/adm/acct/fiscal. See the following section for more information.
The runacct command can take two arguments; however, they should only be used to start a runacct that previously failed. The documentation states that the command usage is
runacct [MMDD] [STATE ... ]but the correct syntax is
runacct [MMDD [STATE]]
Before restarting runacct, refer to the "Restarting runacct Procedures" in the product documentation for necessary cleanup to be performed; otherwise, the runacct command will fail to run properly.
If runacct is restarted, use the MMDD for the day that runacct was running (that is, if runacct failed on 0623, run "runacct 0623"). It will continue at the point of failure. A certain STATE can also be specified at which to start. This is necessary only if a STATE is skipped or redo one that has been done. The valid STATEs are:
SETUP WTMPFIX CONNECT1 CONNECT2 PROCESS MERGE FEES DISK QUEUEACCT MERGETACCT CMS USEREXIT CLEANUP
Any state other than these is invalid and generates errors in the active file.
The following sections list the actions during each state of runacct.
monacct performs these steps:
The daily report might be all that is needed; however, the commands a specific user ran can be seen by running acctcom. It generates a file with one line for each command run and indicates the time the command was run and who ran it. (See product documentation for a complete list of flags for the acctcom command. Only the minimum syntax is used in the examples that follow.)
Since runacct deletes the pacct files, which are needed by acctcom, run acctcom first or save the pacct files before runacct is run.
If acctcom is run before runacct, use the following syntax to run acctcom. Note that the output will be rather large.
acctcom /var/adm/pacct* > somefile
To save the pacct files before runacct, the recommended method is to change runacct to save the files before it continues processing:
cd /var/adm mkdir oldpacct #(directory to save pacct files in)
mv ${_i} S${_i}.${_date}
cp ${_i} /var/adm/oldpacct/${_i}
If the modified runacct is run before acctcom, use the following syntax to run acctcom:
acctcom /var/adm/oldpacct/pacct* > somefile rm /var/adm/oldpacct/pacct*