The system accounting utility allows you to collect and report on individual and group use of various system resources. Topics covered in this section are:
You must have root authority to complete this procedure.
The following is an overview of the steps you must take to set up an accounting system. Refer to the commands and files noted in these steps for more specific information.
/usr/sbin/acct/nulladm wtmp pacct
This provides access to the pacct and wtmp files.
Note: Comment lines can appear anywhere in the file as long as the first character in the line is an asterisk (*).
For example, to specify the year 2000, with prime time beginning at 8:00 a.m. and ending at 5:00 p.m., enter:
2000 0800 1700
A two-line example follows:
1 Jan 1 New Year's Day 332 Nov 28 Thanksgiving Day
/usr/bin/su - adm -c /usr/sbin/acct/startup
The startup procedure records the time that accounting was turned on and cleans up the previous day's accounting files.
account = true
acctfile = /var/adm/qacct
su - adm cd /var/adm/acct mkdir nite fiscal sum exit
0 2 * * 4 /usr/sbin/acct/dodisk
5 * * * * /usr/sbin/acct/ckpacct
0 4 * * 1-6 /usr/sbin/acct/runacct
2>/var/adm/acct/nite/accterrThe first line starts disk accounting at 2:00 a.m. (0 2) each Thursday (4). The second line starts a check of the integrity of the active data files at 5 minutes past each hour (5 *) every day (*). The third line runs most accounting procedures and processes active data files at 4:00 a.m. (0 4) every Monday through Saturday (1-6). If these times do not fit the hours your system operates, adjust your entries.
15 5 1 * * /usr/sbin/acct/monacct
Be sure to schedule this procedure early enough to finish the report. This example starts the procedure at 5:15 a.m. on the first day of each month.
crontab /var/spool/cron/crontabs/root
Once accounting has been configured on the system, daily and monthly reports are generated. The runacct command produces the daily reports and the monact command produces the monthly reports.
To generate a daily report, use the runacct command. This command summarizes data into an ASCII file named /var/adm/acct/sum/rprtMMDD. MMDD specifies the month and day the report is run. The report covers the following:
The first line of the Daily Report begins with the start and finish times for the data collected in the report, a list of system-level events including any existing shutdowns, reboots, and run-level changes. The total duration is also listed indicating the total number of minutes included within the accounting period (usually 1440 minutes, if the report is run every 24 hours). The report contains the following information:
The Daily Usage Report is a summarized report of system usage per user ID during the accounting period. Some fields are divided into prime and non-prime time, as defined by the accounting administrator in the /usr/lib/acct/holidays directory. The report contains the following information:
The Daily Command Summary report shows each command executed during the accounting period, with one line per each unique command name. The table is sorted by TOTAL KCOREMIN (described below), with the first line including the total information for all commands. The data listed for each command is cumulative for all executions of the command during the accounting period. The columns in this table include the following information:
The Monthly Total Command Summary , created by the monacct command, provides information about all commands executed since the previous monthly report. The fields and information mean the same as those in the Daily Command Summary.
The Last Login report displays two fields for each user ID. The first field is YY-MM-DD and indicates the most recent login for the specified user. The second field is the name of the user account. A date field of 00-00-00 indicates that the user ID has never logged in.
The Fiscal Accounting Reports generally collected monthly by using the monacct command. The report is stored in /var/adm/acct/fiscal/fiscrptMM where MM is the month that the monacct command was executed. This report includes information similar to the daily reports summarized for the entire month.
To generate a report on system activity, use the prtacct command. This command reads the information in a total accounting file (tacct file format) and produces formatted output. Total accounting files include the daily reports on connect time, process time, disk usage, and printer usage.
The prtacct command requires an input file in the tacct file format. This implies that you have an accounting system set up and running or that you have run the accounting system in the past. See Setting Up an Accounting System for guidelines.
Generate a report on system activity by entering:
prtacct -f Specification -v Heading File
Specification is a comma-separated list of field numbers or ranges used by the acctmerg command. The optional -v flag produces verbose output where floating-point numbers are displayed in higher precision notation. Heading is the title you want to appear on the report and is optional. File is the full path name of the total accounting file to use for input. You can specify more than one file.
To summarize raw accounting data, use the sa command. This command reads the raw accounting data, usually collected in the /var/adm/pacct file, and the current usage summary data in the /var/adm/savacct file, if summary data exists. It combines this information into a new usage summary report and purges the raw data file to make room for further data collection.
The sa command requires an input file of raw accounting data such as the pacct file (process accounting file). To collect raw accounting data, you must have an accounting system set up and running. See Setting Up an Accounting System for guidelines
The purpose of the sa command is to summarize process accounting information and to display or store that information. The simplest use of the command displays a list of statistics about every process that has run during the life of the pacct file being read. To produce such a list, type:
/usr/sbin/sa
To summarize the accounting information and merge it into the summary file, type:
/usr/sbin/sa -s
The sa command offers many additional flags that specify how the accounting information is processed and displayed. See the sa command description for more information.
Notes:
- If you call the runacct command with no parameters, the command assumes that this is the first time that the command has been run today. Therefore, you need to include the mmdd parameter when you restart the runacct program, so that the month and day are correct. If you do not specify a state, the runacct program reads the /var/adm/acct/nite/statefile file to determine the entry point for processing. To override the /var/adm/acct/nite/statefile file, specify the desired state on the command line.
- When you perform the following task, you might need to use the full path name /usr/sbin/acct/runacct rather than the simple command name, runacct.
To start the runacct command, type the following:
nohup runacct 2> \ /var/adm/acct/nite/accterr &
This entry causes the command to ignore all INTR and QUIT signals while it performs background processing. It redirects all standard error output to the /var/adm/acct/nite/accterr file.
If the runacct command is unsuccessful, do the following:
nohup runacct 0601 2>> \ /var/adm/acct/nite/accterr &
This restarts the runacct program for June 1 (0601). The runacct program reads the /var/adm/acct/nite/statefile file to find out with which state to begin. All standard error output is appended to the /var/adm/acct/nite/accterr file.
nohup runacct 0601 MERGE 2>> \ /var/adm/acct/nite/accterr &
You can display formatted information about system activity with the sar command.
To display system activity statistics, the sadc command must be running.
To display basic system-activity information, type:
sar 2 6
where the first number is the number of seconds between sampling intervals and the second number is the number of intervals to display. The output of this command looks something like this:
arthurd 2 3 000166021000 05/28/92
14:03:40 %usr %sys %wio %idle 14:03:42 4 9 0 88 14:03:43 1 10 0 89 14:03:44 1 11 0 88 14:03:45 1 11 0 88 14:03:46 3 9 0 88 14:03:47 2 10 0 88
Average 2 10 0 88
The sar command also offers a number of flags for displaying an extensive array of system statistics. To see all available statistics, use the -A flag. For a list of the available statistics and the flags for displaying them, see the sar command.
You can use the time and timex commands to display formatted information about system activity while a particular command is running.
The -o and -p flags of the timex command require that system accounting be turned on.
time CommandNameOR
timex CommandNametimex -s CommandNameThe timex command has two additional flags. The -o flag reports the total number of blocks read or written by the command and all of its children. The -p flag lists all of the process accounting records for a command and all of its children.
You can display formatted reports about the process time of active processes with the ps command or of finished processes with the acctcom command.
The acctcom command reads input in the total accounting record form (acct file format). This implies that you have process accounting turned on or that you have run process accounting in the past. See Setting Up an Accounting System for guidelines.
The ps command offers a number of flags to tailor the information displayed. To produce a full list of all active processes except kernel processes, type:
ps -ef
Another useful variation displays a list of all processes associated with terminals. Type:
ps -al
Both of these usages display a number of columns for each process, including the current CPU time for the process in minutes and seconds.
The process accounting functions are turned on with the startup command, which is typically started at system initialization with a call in the /etc/rc file. When the process accounting functions are running, a record is written to /var/adm/pacct (a total accounting record file) for every finished process that includes the start and stop time for the process. You can display the process time information from a pacct file with the acctcom command. This command has a number of flags that allow flexibility in specifying which processes to display.
For example, to see all processes that ran for a minimum number of CPU seconds or longer, use the -O flag, type:
acctcom -O 2
This displays records for every process that ran for at least 2 seconds. If you do not specify an input file, the acctcom command reads input from the /var/adm/pacct directory.
You can display formatted reports about the CPU usage by process or by user with a combination of the acctprc1, acctprc2, and prtacct commands.
The acctprc1 command requires input in the total accounting record form (acct file format). This implies that you have process accounting turned on or that you have run process accounting in the past. See Setting Up an Accounting System for guidelines.
To produce a formatted report of CPU usage by process, type:
acctprc1 </var/adm/pacct
This information will be useful in some situations, but you might also want to summarize the CPU usage by user. The output from this command is used in the next procedure to produce that summary.
acctprc1 </var/adm/pacct >out.file
The /var/adm/pacct file is the default output for process accounting records. You might want to specify an archive pacct file instead.
acctprc2 <out.file >/var/adm/acct/nite/daytacct
prtacct </var/adm/acct/nite/daytacct
You can display the connect time of all users, of individual users, and by individual login with the ac command.
The ac command extracts login information from the /var/adm/wtmp file, so this file must exist. If the file has not been created, the following error message is returned:
No /var/adm/wtmp
If the file becomes too full, additional wtmp files are created; you can display connect-time information from these files by specifying them with the -w flag.
/usr/sbin/acct/ac
This command displays a single decimal number that is the sum total connect time, in minutes, for all users who have logged in during the life of the current wtmp file.
/usr/sbin/acct/ac User1 User2 ...
This command displays a single decimal number that is the sum total connect time, in minutes, for the user or users you specified for any logins during the life of the current wtmp file.
/usr/sbin/acct/ac -p User1 User2 ...
This command displays as a decimal number for each user specified equal to the total connect time, in minutes, for that user during the life of the current wtmp file. It also displays a decimal number that is the sum total connect time for all the users specified. If no user is specified in the command, the list includes all users who have logged in during the life of the wtmp file.
You can display disk space utilization information with the acctmerg command.
To display disk space utilization information, the acctmerg command requires input from a dacct file (disk accounting). The collection of disk-usage accounting records is performed by the dodisk command. Placing an entry for the dodisk command in a crontabs file is part of the procedure described in Setting Up an Accounting System.
To display disk space utilization information, type:
acctmerg -a1 -2,13 -h </var/adm/acct/nite/dacct
This command displays disk accounting records, which include the number of 1 KB blocks utilized by each user.
You can display printer or plotter usage accounting records with the pac command.
/usr/sbin/pac -PPrinter
If you do not specify a printer, the default printer is named by the PRINTER environment variable. If the PRINTER variable is not defined, the default is lp0.
/usr/sbin/pac -PPrinter User1 User2 ...
The pac command offers other flags for controlling what information gets displayed.
If you are using the accounting system to charge user for system resources, the integrity of the /var/adm/acct/sum/tacct file is quite important. Occasionally, mysterious tacct records appear that contain negative numbers, duplicate user numbers, or a user number of 65,535.
You must have root user or adm group authority.
cd /var/adm/acct/sum
prtacct tacctprev
The prtacct command formats and displays the tacctprev file so that you can check connect time, process time, disk usage, and printer usage.
acctmerg -v < tacct.mmdd > tacct.new
Note: The acctmerg command with the -a flag also produces ASCII output. The -v flag produces more precise notation for floating-point numbers.
The acctmerg command is used to merge the intermediate accounting record reports into a cumulative total report (tacct). This cumulative total is the source from which the monacct command produces the ASCII monthly summary report. Since the monacct command procedure removes all the tacct.mmdd files, you recreate the tacct file by merging these files.
acctmerg -i < tacct.new > tacct.mmdd
acctmerg tacctprev < tacct.mmdd > tacctThe /var/adm/wtmp, or "who temp" file, might cause problems in the day-to-day operation of the accounting system. When the date is changed and the system is in multiuser mode, date change records are written to the /var/adm/wtmp file. When a date change is encountered, the wtmpfix command adjusts the time stamps in the wtmp records. Some combinations of date changes and system restarts may slip past the wtmpfix command and cause the acctcon1 command to fail and the runacct command to send mail to the root and adm accounts listing incorrect dates.
You must have root user or adm group authority.
cd /var/adm/acct/nite
fwtmp < wtmp.mmdd > wtmp.newThe fwtmp command converts wtmp from binary to ASCII.
vi wtmp.new
fwtmp -ic < wtmp.new > wtmp.mmddnulladm wtmp
The nulladm command creates the file specified with read and write permissions for the file owner and group, and read permissions for other users. It ensures that the file owner and group are adm.
You might encounter several different problems when using the accounting system. You might need to resolve file ownership and permissions problems.
This section describes how to fix general accounting problems:
You must have root user or adm group authority.
To use the accounting system, file ownership and permissions must be correct. The adm administrative account owns the accounting command and scripts, except for /var/adm/acct/accton which is owned by root.
ls -l /var/adm/acct -rws--x--- 1 adm adm 14628 Mar 19 08:11 /var/adm/acct/fiscal -rws--x--- 1 adm adm 14628 Mar 19 08:11 /var/adm/acct/nite -rws--x--- 1 adm adm 14628 Mar 19 08:11 /var/adm/acct/sum
cd /var/adm/acct
chown adm sum/* nite/* fiscal/*
To prevent tampering by users trying to avoid charges, deny write permission for others on these files. Change the accton command group owner to adm, and permissions to 710, that is, no permissions for others. Processes owned by adm can execute the accton command, but ordinary users can not.
/var/adm/acct/startup: /var/adm/wtmp: Permission denied
To correct the ownership of /var/adm/wtmp, change ownership to the adm group by typing the following command:
chown adm /var/adm/wtmp
Processing the /var/adm/wtmp file night produce some warnings mailed to root. The wtmp file contains information collected by /etc/init and /bin/login and is used by accounting scripts primarily for calculating connect time (the length of time a user is logged in). Unfortunately, date changes confuse the program that processes the wtmp file. As a result, the runacct command sends mail to root and adm complaining of any errors after a date change since the last time accounting was run.
The acctcon1 command outputs error messages that are mailed to adm and root by the runacct command. For example, if the acctcon1 command stumbles after a date change and fails to collect connect times, adm might get mail like the following mail message:
Mon Jan 6 11:58:40 CST 1992 acctcon1: bad times: old: Tue Jan 7 00:57:14 1992 new: Mon Jan 6 11:57:59 1992 acctcon1: bad times: old: Tue Jan 7 00:57:14 1992 new: Mon Jan 6 11:57:59 1992 acctcon1: bad times: old: Tue Jan 7 00:57:14 1992 new: Mon Jan 6 11:57:59 1992
/usr/sbin/acct/wtmpfix wtmp
The wtmpfix command examines the wtmp file for date and time-stamp inconsistencies and corrects problems that could make acctcon1 fail. However, some date changes slip by wtmpfix. See Fixing wtmp Errors.
Using the runacct command at these times minimizes the number of entries with bad times. The runacct command continues to send mail to the root and adm accounts, until you edit the runacct script, find the WTMPFIX section, and comment out the line where the file log gets mailed to the root and adm accounts.
The runacct command processes files that are often very large. The procedure involves several passes through certain files and consumes considerable system resources while it is taking place. That is why the runacct command is normally run early in the morning when it can take over the machine and not disturb anyone.
The runacct command is a scrip divided into different stages. The stages allow you to restart the command where it stopped, without having to rerun the entire script.
When the runacct encounters problems, it sends error messages to different destinations depending on where the error occurred. Usually it sends a date and a message to the console directing you to look in the activeMMDD file (such as active0621 for June 21st) which is in the /usr/adm/acct/nite directory. When the runacct command aborts, it moves the entire active file to activeMMDD and appends a message describing the problem.
********* ACCT ERRORS : see active0102 *********
| State | Command | Fatal? | Error Message | Destinations |
|---|---|---|---|---|
| pre | runacct | yes | * 2 CRONS or ACCT PROBLEMS * ERROR: locks found, run aborted | console, mail, active |
| pre | runacct | yes | runacct: Insufficient space in /usr ( nnn blks); Terminating procedure | console, mail, active |
| pre | runacct | yes | SE message; ERROR: acctg already run for 'date': check lastdate | console, mail, activeMMDD |
| pre | runacct | no | * SYSTEM ACCOUNTING STARTED * | console |
| pre | runacct | no | restarting acctg for 'date' at STATE | console active, console |
| pre | runacct | no | restarting acctg for 'date' at state (argument $2) previous state was STATE | active |
| pre | runacct | yes | SE message; Error: runacct called with invalid arguments | console, mail, activeMMDD |
| State | Command | Fatal? | Error Message | Destinations |
|---|---|---|---|---|
| SETUP | runacct | no | ls -l fee pacct* /var/adm/wtmp | active |
| SETUP | runacct | yes | SE message; ERROR: turnacct switch returned rc=error | console, mail, activeMMDD |
| SETUP | runacct | yes | SE message; ERROR: SpacctMMDD already exists file setups probably already run | activeMMDD |
| SETUP | runacct | yes | SE message; ERROR: wtmpMMDD already exists: run setup manually | console, mail, activeMMDD |
| WTMPFIX | wtmpfix | no | SE message; ERROR: wtmpfix errors see xtmperrorMMDD | activeMMDD, wtmperrorMMDD |
| WTMPFIX | wtmpfix | no | wtmp processing complete | active |
| CONNECT1 | acctcon1 | no | SE message; (errors from acctcon1 log) | console, mail, activeMMDD |
| CONNECT2 | acctcon2 | no | connect acctg complete | active |
| PROCESS | runacct | no | WARNING: accounting already run for pacctN | active |
| PROCESS | acctprc1 acctprc2 | no | process acctg complete for SpacctNMMDD | active |
| PROCESS | runacct | no | all process actg complete for date | active |
| MERGE | acctmerg | no | tacct merge to create dayacct complete | active |
| FEES | acctmerg | no | merged fees OR no fees | active |
| DISK | acctmerg | no | merged disk records OR no disk records | active |
| MERGEACCT | acctmerg | no | WARNING: recreating sum/tacct | active |
| MERGEACCT | acctmerg | no | updated sum/tacct | active |
| CMS | runacct | no | WARNING: recreating sum/cms | active |
| CMS | acctcms | no | command summaries complete | active |
| CLEANUP | runacct | no | system accounting completed at 'date' | active |
| CLEANUP | runacct | no | *SYSTEM ACCOUNTING COMPLETED* | console |
| <wrong> | runacct | yes | SE message; ERROR: invalid state, check STATE | console, mail, activeMMDD |
| Destination | Description |
|---|---|
| console | The /dev/console device |
| Message mailed to root and adm accounts | |
| active | The /usr/adm/acct/nite/active file |
| activeMMDD | The /usr/adm/acct/nite/activeMMDD file |
| wtmperrMMDD | The /usr/adm/acct/nite/wtmperrorMMDD file |
| STATE | Current state in /usr/adm/acct/nite/statefile file |
| fd2log | Any other error messages |
The acctcon1 command (started from the runacct command) sends mail to the root and adm accounts when the /usr/lib/acct/holidays file gets out of date. The holidays file is out of date after the last holiday listed has passed or the year has changed.
Update the out-of-date holidays file by editing the /var/adm/acct/holidays file to differentiate between prime and nonprime time.
Prime time is assumed to be the period when your system is most active, such as workdays. Saturdays and Sundays are always nonprime times for the accounting system, as are any holidays that you list.
The holidays file contains three types of entries: comments, the year and prime-time period, and a list of holidays as in the following example:
* Prime/Non-Prime Time Table for Accounting System
*
* Curr Prime Non-Prime
* Year Start Start
1992 0830 1700
*
* Day of Calendar Company
* Year Date Holiday
*
* 1 Jan 1 New Year's Day
* 20 Jan 20 Martin Luther King Day
* 46 Feb 15 President's Day
* 143 May 28 Memorial Day
* 186 Jul 3 4th of July
* 248 Sep 7 Labor Day
* 329 Nov 24 Thanksgiving
* 330 Nov 25 Friday after
* 359 Dec 24 Christmas Eve
* 360 Dec 25 Christmas Day
* 361 Dec 26 Day after Christmas
The first noncomment line must specify the current year (as four digits) and the beginning and end of prime time, also as four digits each. The concept of prime and nonprime time only affects the way that the accounting programs process the accounting records.
If the list of holidays is too long, the acctcon1 command generates an error, and you will need to shorten your list. You are safe with 20 or fewer holidays. If you want to add more holidays, just edit the holidays file each month.