Overview of Accounting

Once it has been set up, system accounting runs mostly on its own. (For instructions on setting up an accounting system, see "Setting Up Accounting" on page 168.) The shell scripts that generate accounting reports reside in the /usr/adm/acct and /usr/lib/acct directories. Setting up automatic accounting involves putting these scripts into the crontab file so that cron will invoke them automatically.

The following is an overview of how accounting works.

• Between system startup and shutdown, raw data about system use (such as logins, processes run, and data storage) are collected in accounting files.
• Periodically (usually once a day), the /usr/lib/acct/runacct program processes the various accounting files and produces both cumulative summary files and daily accounting reports. The daily reports are printed by the prdaily program.
• The cumulative summary files generated by runacct can be processed and printed monthly by executing the monacct program. The summary reports produced by monacct provide an efficient means for billing users on a monthly or other fiscal basis.

Types of Accounting

The daily accounting can help you do four types of accounting: connect accounting, process accounting, disk accounting, and fee calculations.

Connect Accounting

Connect accounting enables you to determine the following:

• The length of time a user was logged in
• How the tty lines are being used
• The number of reboots on your system
• The frequency with which the accounting software was turned off and on

To provide this information, the system stores records of time adjustments, boot times, times the accounting software was turned off and on, changes in run levels, the creation of user processes (login processes and init processes), and the deaths of processes. These records (produced from the output of system programs such as date, init, login, ttymon, and acctwtmp) are stored in the file, /var/adm/wtmp. Entries in the wtmp file may contain the following information: a user's login name, a device name, a process ID, the type of entry, and a time stamp denoting when the entry was made.

Process Accounting

Process accounting enables you to keep track of the following data about each process run on your system:

• The user and group IDs of those using the process
• The beginning and elapsed times of the process
• The CPU time for the process (user time and system time)
• The amount of memory used
• The commands run
• The tty controlling the process

Every time a process dies, the exit program collects this data and writes it to the file /var/adm/pacct.

The pacct file has a default maximum size of 500 blocks that is enforced by the accounting shell script, ckpacct (normally run as a cron job). If ckpacct finds that /var/adm/pacct is larger than 500 blocks, it moves the file to /var/adm/pacctn, where n is the next unused incremental number.

Disk Accounting

Disk accounting enables you to gather and format the following data about the files each user has on disks:

• The name and ID of the user
• The number of blocks used by the user's files

This data is collected by a shell script called dodisk.

dodisk invokes the commands acctdusg and diskusg, which gather information for each file in the system.

acctdusg gathers all the disk accounting information. Each time it is invoked, this command can process a maximum of 3000 users. The slow mode syntax is:

/usr/lib/acct/dodisk -o mountpoints

If no mount points are specified, the root mount point is used.

---

Caution - Information gathered by running dodisk is stored in the /var/adm/acct/nite/disktacct file. This information is overwritten the next time dodisk is run. Therefore, avoid running dodisk twice in the same day.

---

diskusg may overcharge for files that are written in random access fashion, which may create holes in the files. This is because diskusg does not read the indirect blocks of a file when determining its size. Rather, diskusg determines the size of a file by looking at the di_size value of the inode.

Fee Calculations

If you charge your users for special services, such as restoring files and remote printing, you may want to use a program called chargefee to maintain service accounts. Fees charged to customers are recorded in a file called /var/adm/fee. Each entry in the file consists of a user's login name, user ID, and the fee.

Accounting Programs

All the accounting shell scripts and binary accounting programs are stored in /usr/lib/acct. The acctcom program is stored in /usr/bin. These programs, which are owned by bin (except for accton, which is owned by root), perform various functions. For example, /usr/lib/acct/startup helps initiate the accounting process when the system enters multiuser mode. The chargefee program is used to charge a particular user for a special service, such as restoring a file from tape. Other essential programs in the /usr/lib/acct directory include monacct, prdaily, and runacct. These and other programs are discussed in more detail in the following sections.

Setting Up Accounting

To set up system accounting to run while the system is in multiuser mode (system state 2), you need to create or modify four files:

• /etc/rc0.d/K22acct (create)
• /etc/rc2.d/S22acct (create)
• /var/spool/cron/crontabs/adm (modify)
• /var/spool/cron/crontabs/root (modify)

If you want accounting to be shut off during shutdown, link

/etc/rc0.d/k22acct to /etc/init.d/acct.

* Type the following command:

  ln -s /etc/init.d/acct /etc/rc0.d/K22acct

If you want accounting to be turned on when the system is in multiuser mode (system state 2), link /etc/rc2.d/S22acct to /etc/init.d/acct.

* Type the following command:

ln -s /etc/init.d/acct /etc/rc2.d/S22acct

Most of the cron entries needed for accounting are put into a database called /var/spool/cron/crontabs/adm. The sample entries in this database run ckpacct periodically, runacct daily, and monacct on a fiscal basis. You can vary the frequencies. Be sure to append this information to the file to avoid destroying any entries already present. For the adm crontab, assign root as the owner, sys as the group, and 644 as the permissions mode.

-------------------entries for adm crontab------------------------------ #Min Hour Day Month Day Command # of of # Month Week #----------------------------------------------------------------------------- 0 * * * * /usr/lib/acct/ckpacct 30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log 30 9 * * 5 /usr/lib/acct/monacct ------------------------------------------------------------------------

Append the entry for dodisk to the root crontab, /var/spool/cron/crontabs/root. A sample is shown below.

--------------------entry for root crontab-------------------------------- #Min Hour Day Month Day Command # of of # Month Week #----------------------------------------------------------------------------- 30 22 * * 4 /usr/lib/acct/dodisk

Once these entries are in the database and the accounting programs have been installed, accounting should run automatically.

Daily Accounting

Here is a step-by-step summary of how SunOS system accounting works:

1. When the system is switched into multiuser mode, the /usr/lib/acct/startup program is executed. The startup program executes several other programs that invoke accounting.

2. The acctwtmp program adds a "boot" record to /var/adm/wtmp. In this record, the system name is shown as the login name in the wtmp record. Table 10-1 presents a summary of how the raw accounting data is gathered and where it is stored.

Table 10-1

File in /var/adm	Information	Written By	Format
wtmp	Connect sessions	login, init	utmp.h
	Changes	date
	Reboots	acctwtmp
	Shutdowns	shutacct shell
pacctn	Processes	Kernel (when the process ends) turnacct switch (creates a new file when the old one reaches 500 blocks)	acct.h
fee	Special charges	chargefee	acct.h
acct/nite/disktacc t	Disk space used	dodisk	tacct.h

3. The turnacct program, invoked with the on option, begins process accounting. Specifically, turnacct executes the accton program with the argument /var/adm/pacct.

4. The remove shell script "cleans up" the saved pacct and wtmp files left in the sum directory by runacct.

5. The login and init programs record connect sessions by writing records into /var/adm/wtmp. Any date changes (using date with an argument) are also written to /var/adm/wtmp. Reboots and shutdowns using acctwtmp are also recorded in /var/adm/wtmp.

6. When a process ends, the kernel writes one record per process, in the form of acct.h, in the /var/adm/pacct file.

Two programs track disk usage by login: acctdusg and diskusg. They are invoked by the shell script dodisk.

Every hour, cron executes the ckpacct program to check the size of /var/adm/pacct. If the file grows past 500 blocks (default), the turnacct switch is executed. (The program moves the pacct file and creates a new one.) The advantage of having several smaller pacct files becomes apparent when trying to restart runacct if a failure occurs when processing these records.

If the system is shut down using shutdown, the shutacct program is executed automatically. The shutacct program writes a reason record into /var/adm/wtmp and turns off process accounting.

If you provide services on a request basis (such as file restorations), you can keep billing records by login, using the chargefee program. It allows you to add a record to /var/adm/fee each time a user incurs a charge. The next time runacct is executed, this new record is picked up and merged into the total accounting records.

1. runacct is executed by cron each night. runacct processes the accounting files: /var/adm/pacctn, /var/adm/wtmp, /var/adm/fee, and /var/adm/acct/nite/disktacct, to produce command summaries and usage summaries by login.

2. The /usr/lib/acct/prdaily program is executed on a daily basis by runacct to write the daily accounting information collected by runacct (in ASCII format) in /var/adm/acct/sum/rprt.MMDD.

3. The monacct program should be executed on a monthly basis (or at intervals determined by you, such as the end of every fiscal period). The monacct program creates a report based on data stored in the sum directory that has been updated daily by runacct. After creating the report, monacct "cleans up" the sum directory to prepare the directory's files for the new runacct data.

runacct Program

The main daily accounting shell procedure, runacct, is normally invoked by cron outside of prime time hours. The runacct shell script processes connect, fee, disk, and process accounting files. It also prepares daily and cumulative summary files for use by prdaily and monacct for billing purposes.

The runacct shell script takes care not to damage files if errors occur. A series of protection mechanisms are used that attempt to recognize an error, provide intelligent diagnostics, and complete processing in such a way that runacct can be restarted with minimal intervention. It records its progress by writing descriptive messages into the file active. (Files used by runacct are assumed to be in the /var/adm/acct/nite directory, unless otherwise noted.) All diagnostic output during the execution of runacct is written into fd2log.

When runacct is invoked, it creates the files lock and lock1. These files are used to prevent simultaneous execution of runacct. The runacct program prints an error message if these files exist when it is invoked. The lastdate file contains the month and day runacct was last invoked, and is used to prevent more than one execution per day. If runacct detects an error, a message is written to the console, mail is sent to root and adm, locks are removed, diagnostic files are saved, and execution is ended.

Re-entrant States of the runacct Script

To allow runacct to be restartable, processing is broken down into separate reentrant states. The file statefile is used to keep track of the last state completed. When each state is completed, statefile is updated to reflect the next state. After processing for the state is complete, statefile is read and the next state is processed. When runacct reaches the CLEANUP state, it removes the locks and ends. States are executed as follows:

SETUP           The command turnacct switch is executed to create a new 
                pacct file. The process accounting files in /var/adm/pacctn 
                (except for the pacct file) are moved to 
                /var/adm/Spacctn.MMDD. The /var/adm/wtmp file is 
                moved to /var/adm/acct/nite/wtmp.MMDD (with the 
                current time record added on the end) and a new

/var/adm/wtmp is created. closewtmp and utmp2wtmp add records to wtmp.MMDD and the new wtmp to account for users currently logged in.

WTMPFIX..The wtmpfix program checks the wtmp.MMDD file in the nite directory for accuracy. Because some date changes will cause acctcon to fail, wtmpfix attempts to adjust the time stamps in the wtmp file if a record of a date change appears. It also deletes any corrupted entries from the wtmp file. The fixed version of wtmp.MMDD is written to tmpwtmp.

CONNECT         The acctcon program is used to record connect accounting 
                records in the file ctacct.MMDD. These records are in 
                tacct.h format. In addition, acctcon creates the lineuse 
                and reboots files. The reboots file records all the boot 
                records found in the wtmp file. CONNECT was previously 
                divided into two steps called CONNECT1 and CONNECT2.
PROCESS         The acctprc program is used to convert the process 
                accounting files, /var/adm/Spacctn.MMDD, into total 
                accounting records in ptacctn.MMDD. The Spacct and 
                ptacct files are correlated by number so that if runacct fails, 
                the Spacct files will not be processed.

---

Caution - When restarting runacct in this state, remove the last ptacct file because it will not be complete.

---

MERGE...The MERGE program merges the process accounting records with the connect accounting records to form daytacct.

FEES            The MERGE program merges ASCII tacct records from the 
                fee file into daytacct.
DISK            If the dodisk procedure has been run, producing the file 
                disktacct, the DISK program merges the file into daytacct 
                and move disktacct to /tmp/disktacct.MMDD.
MERGETACCT      The MERGETACCT merges daytacct with sum/tacct, the 
                cumulative total accounting file. Each day, daytacct is saved 
                in sum/tacct.MMDD, so that sum/tacct can be re-created 
                if it is corrupted or lost.

CMS             The program acctcms is run several times. acctcms is first 
                run to generate the command summary using the Spacctn 
                files and write it to sum/daycms. The acctcms program is 
                then run to merge sum/daycms with the cumulative command 
                summary file sum/cms. Finally, acctcms is run to produce the 
                ASCII command summary files, nite/daycms and 
                nite/cms, from the files sum/daycms and sum/cms, 
                respectively. The program lastlogin is used to create the log 
                file /var/adm/acct/sum/loginlog, the report of when 
                each user last logged in. (If runacct is run after midnight, the 
                dates showing the time last logged in by some users will be 
                incorrect by one day.)
USEREXIT        Any installation-dependent (local) accounting program can be 
                included at this point. runacct expects it to be called 
                /usr/lib/acct/runacct.local.
CLEANUP         Cleans up temporary files, run prdaily and saves its output 
                in sum/rpt.MMDD, removes the locks, then exits.

runacct Error Messages

The runacct procedure can fail for a variety of reasons, the most common being a system crash, /var running out of space, or a corrupted wtmp file. If the active.MMDD file exists, check it first for error messages. If the active and lock files exist, check fd2log for any mysterious messages. See Appendix C, "Error Messages," for an explanation of error messages generated by runacct.

Files Produced by runacct

The following files produced by runacct (found in /var/adm/acct) are of particular interest:

nite/lineuse        runacct calls acctcon to gather data on terminal line 
                    usage from /var/adm/acct/nite/tmpwtmp and writes 
                    the data to /var/adm/acct/nite/lineuse. prdaily 
                    uses this data to report line usage. This report is especially 
                    useful for detecting bad lines. If the ratio between the 
                    number of logouts to logins is greater than about three to 
                    one, there is a good possibility that the line is failing.

nite/daytacct       This file is the total accounting file for the day in tacct.h 
                    format.

sum/tacct	This file is the accumulation of each day's nite/daytacct and can be used for billing purposes. It is restarted each month or fiscal period by the monacct procedure.
sum/daycms/var/adm/acct/nite/daycms.	runacct calls acctcms to process the data about the
sum/cms	This file is the accumulation of each day's command summaries. It is restarted by the execution of monacct. The ASCII version is nite/cms.

sum/loginlog        runacct calls lastlogin to update the last date logged 
                    in for the logins in /var/adm/acct/sum/loginlog. 
                    lastlogin also removes from this file logins that are no 
                    longer valid.

sum/rprt.MMDD Each execution of runacct saves a copy of the daily report

that was printed by prdaily.

Fixing Corrupted Files

Unfortunately, this accounting system is not foolproof. Occasionally, a file will become corrupted or lost. Some of the files can simply be ignored or restored from the backup. However, certain files must be fixed to maintain the integrity of the accounting system.

Fixing wtmp Errors

The wtmp files seem to cause the most problems in the day-to-day operation of the accounting system. When the date is changed and the system is in multiuser mode, a set of date change records is written into /var/adm/wtmp. The wtmpfix program is designed to adjust the time stamps in the wtmp records when a date change is encountered. However, some combinations of date changes and reboots will slip through wtmpfix and cause acctcon to fail. The following steps show how to patch up a wtmp file.

· How to Fix Errors

1. Type cd /var/adm/acct/nite and press Return.

2. Type fwtmp wtmp.MMDD xwtmp and press Return. The fwtmp command converts the binary file wtmp.MMDD to the ASCII file xwtmp.

3. Edit xwtmp. Delete the corrupted files, or delete all records from the beginning up to the date change.

4. Type fwtmp -ic xwtmp wtmp.MMDD and press Return. This step converts the ASCII file xwtmp to a binary file, overwriting the corrupted file.

   If the wtmp file is beyond repair, create a null wtmp file. This will prevent any charging of connect time. As a side effect, the lack of a wtmp file prevents acctprc from identifying the login that owned a particular process; the process is charged to the owner of the first login in the password file for the appropriate user ID.

Fixing tacct Errors

If the installation is using the accounting system to charge users for system resources, the integrity of sum/tacct is important. Occasionally, mysterious tacct records will appear with negative numbers, duplicate user IDs, or a user ID of 65535. First, check sum/tacctprev, using prtacct to print it. If it looks all right, patch up the latest sum/tacct.MMDD, then re-create the sum/tacct file. The following steps outline a simple patch procedure.

· How to Fix tacct Errors

1. Type cd /var/adm/acct/sum and press Return.

2. Type acctmerg -v tacct.MMDD xtacct and press Return. The -v option converts the contents of tacct.MMDD from binary to ASCII format.

3. Edit the xtacct file. Remove the bad records and write the duplicate records to another file.

4. Type acctmerg -i xtacct tacct.MMDD and press Return. The -i option converts the xtacct file from ASCII format to binary.

5. Type acctmerg tacctprv tacct.MMDD tacct and press Return. This merges the files tacct.prv and tacct.MMDD into the file tacct.

   The current sum/tacct can be re-created by merging all existing tacct.MMDD files using acctmerg, since the monacct procedure removes all the old tacct.MMDD files.

Restarting runacct

Called without arguments, runacct assumes that this is the first invocation of the day. The argument MMDD is necessary if runacct is being restarted and specifies the month and day for which runacct will rerun the accounting. The entry point for processing is based on the contents of statefile. To override statefile, include the desired state on the command line. The following are some sample procedures.

* To start runacct, type:

  nohup runacct 2 > var/adm/acct/nite/fd2log

* To restart runacct, type:

  nohup runacct 0601 2 > /var/adm/acct/nite/fd2log

* To restart runacct in a specific state, type: nohup runacct 0601 WTMPFIX 2 > /var/adm/acct/nite/fd2log

Billing Users

The chargefee program stores charges for special services provided to a user, such as file restoration, in the file fee. This file is incorporated by runacct every day.

* To register special fees, type:

chargefee login_name amount

where amount is an integer amount to be charged. Most locations prefer to set up their own shell scripts for this function, with codes for services rendered. The operator then needs only to identify the service rendered. The system can tabulate the charge.

The monthly accounting program monacct produces monthly summary reports similar to those produced daily. The monacct program also summarizes the accounting information into the files in the /var/adm/acct/fiscal directory. This information can be used to generate monthly billing. To generate a monthly billing, many UNIX system administrators customize the accounting process with their own shell scripts.

Setting Up Non-Prime Time Discounts

UNIX system accounting provides facilities to give users a discount for non-prime time system use. For this to work, you must inform the accounting program of the dates of holidays and the hours that are considered nonprime time, such as nights. To do this, you must edit the /etc/acct/holidays file that contains the prime/nonprime table for the accounting program. The format is composed of three types of entries:

• Comment Lines - Comment lines are marked by an asterisk in the first column of the line. Comment lines may appear anywhere in the file.
• Year Designation Line - This line should be the first data line (noncomment line) in the file and must appear only once. The line consists of three fields of four digits each (leading white space is ignored). For example, to specify the year as 1994, prime time start at 9 a.m., and nonprime time start at 4:30 p.m., the following entry would be appropriate:

1994 0900 1630

A special condition allowed in the time field is that the time 2400 is automatically converted to 0000.

• Company Holidays Lines - These entries follow the year designation line and have the following general format:

Date
            Description of Holiday

The date field has the format month/day and indicates the date of the holiday. The holiday field is actually commentary and is not currently used by other programs. A sample holiday list appears below.

Table 10-2

Month/Day	Holiday
1/1	New Year's Day
5/28	Memorial Day
7/4	Independence Day
9/3	Labor Day
11/22	Thanksgiving Day
11/23	Day after Thanksgiving
12/25	Christmas Day

Daily Accounting Reports

The runacct shell script generates four basic reports upon each invocation. These reports cover the areas of connect accounting, usage by login on a daily basis, command usage reported by daily and monthly totals, and a report of the last time users were logged in. The four basic reports generated are:

• Daily Report - Shows line utilization by tty number.
• Daily Usage Report - Indicates usage of system resources by users (listed in order of UID).
• Daily Command Summary - Indicates usage of system resources by commands, listed in descending order of use of memory (in other words, the command that used the most memory is listed first). This same information is reported for the month with the monthly command summary.
• Last Login - Shows the last time each user logged in (arranged in chronological order).

The following sections describe the reports and the meaning of the data presented in each one.

Daily Report

This report gives information about each terminal line used. A sample daily report appears below.

Jun 26 09:53 1994 DAILY REPORT FOR sfxbs Page 1 from Thu Jun 25 17:45:22 1994 to Fri Jun 26 09:51:25 1994 1 runacct 1 acctcon TOTAL DURATION IS 966 MINUTES LINE MINUTES PERCENT # SESS # ON # OFF term/23 25 3 7 7 3 term/22 157 16 6 6 3 TOTALS 183 -- 13 13 7 ------------------------------------------------------

The from and to lines specify the time period reflected in the report--the period from the time the last accounting report was generated until the time the current accounting report was generated. It is followed by a log of system reboots, shutdowns, power fail recoveries, and any other record dumped into /var/adm/wtmp by the acctwtmp program; see acct(1M).

The second part of the report is a breakdown of line utilization. The TOTAL DURATION tells how long the system was in multiuser state (accessible through the terminal lines). The columns are:

LINE	The terminal line or access port.
MINUTES	The total number of minutes that the line was in use during the accounting period.
PERCENT	The total number of MINUTES the line was in use, divided into
# SESS	The number of times this port was accessed for a login session.
# ON	Identical to SESS. (This column does not have much meaning anymore. It used to list the number of times that a port was used to log in a user.)
# OFF	This column reflects the number of times a user logs out and any interrupts that occur on that line. Generally, interrupts occur on a port when ttymon is first invoked when the system is brought to

multiuser state. If the # OFF exceeds the # ON by a large factor, the multiplexer, modem, or cable is probably going bad, or there is a bad connection somewhere. The most common cause of this is an unconnected cable dangling from the multiplexer.

During real time, you should monitor /var/adm/wtmp because it is the file from which the connect accounting is geared. If the wtmp file grows rapidly, execute acctcon -l file < /var/adm/wtmp to see which tty line is the noisiest. If the interrupting is occurring frequently, general system performance will be affected.

Daily Usage Report

The daily usage report gives a breakdown of system resource utilization by user. A sample of this type of report appears below.

Jun 29 09:53 1994 DAILY USAGE REPORT FOR sfxbs Page 1 LOGIN CPU (MINS) KCORE-MINS CONNECT(MINS) DISK # OF # OF # DISK FEE UID NAME PRIME NPRIME PRIME NPRIME PRIME NPRIME BLOCKS PROCS SESS SAMPLES 0 TOTAL 5 12 6 16 131 51 0 1114 13 0 0 0 root 2 8 1 11 0 0 0 519 0 0 0 3 sys 0 1 0 1 0 0 0 45 0 0 0 4 adm 0 2 0 1 0 0 0 213 0 0 0 5 uucp 0 0 0 0 0 0 0 53 0 0 0 999 rly 3 1 5 2 111 37 0 269 1 0 0 7987 jan 0 0 0 1 20 14 0 15 6 0 0

The data provided include the following:

UID	This is the user ID.
LOGIN NAME	This is the login name of the user. This information is useful because it identifies a user who has multiple login names.
CPU-MINS	This represents the amount of time the user's process used the central processing unit. This category is divided into PRIME and NPRIME (non-prime) utilization. The accounting system's version of this data is located in the file /etc/acct/holi-days.

KCORE-MINS	This represents a cumulative measure of the memory a process uses while running. The amount shown reflects kilobyte seg-ments of memory used, per minute. This measurement is also broken down into PRIME and NPRIME amounts.
CONNECT-MINS	This identifies the amount of "real time" used. This column identifies the amount of time that a user was logged in to the system. If the amount of time is high and the number shown in the column # OF PROCS is low, you can conclude the owner of the login logs in first thing in the morning and hardly touches the terminal the rest of the day. This column is also divided into PRIME and NPRIME use.
DISK BLOCKS	When the disk accounting programs have been run, the output is merged into the total accounting record (daytacct) and shows up in this column. This disk accounting is accomplished by the program acctdusg. For accounting purposes, a block is 512 bytes.
# OF PROCS	This column reflects the number of processes that were invoked by the user. This is a good column to watch for large numbers, indicating that a user may have a shell procedure that has run out of control.
# OF SESS	This column shows the number of times a user logged on to the system.
# DISK SAMPLES	This indicates how many times the disk accounting was run to obtain the average number of DISK BLOCKS listed earlier.
FEE	An often unused field in the total accounting record, the FEE field represents the total accumulation of widgets charged against the user by the chargefee shell procedure; see acct-sh(1M). The chargefee procedure is used to levy charges against a user for special services performed, such as file resto-ration.

Daily Command Summary

The daily command summary report shows the system resource use by command. With this report, you can identify the most heavily used commands and, based on how those commands use system resources, gain insight on how best to tune the system. The daily and monthly reports are virtually the same; however, the daily summary reports only on the current accounting period while the monthly summary reports on the start of the fiscal period to the current date. In other words, the monthly report reflects the data accumulated since the last invocation of monacct.

These reports are sorted by TOTAL KCOREMIN, which is an arbitrary yardstick but often a good one for calculating drain on a system.

A sample daily command summary appears below.

Jun 29 09:52 1994 DAILY COMMAND SUMMARY Page 1 TOTAL COMMAND SUMMARY PRIME PRIME PRIME COMMAND NUMBER TOTAL TOTAL TOTAL MEAN MEAN HOG CHARS BLOCKS NAME CMDS KCOREMIN CPU-MIN REAL-MIN SIZE-K CPU-MIN FACTOR TRNSFD READ TOTALS 1114 2.44 16.69 136.33 0.15 0.01 0.12 4541666 1926 sh 227 1.01 2.45 54.99 0.41 0.01 0.04 111025 173 vi 12 0.35 0.62 44.23 0.55 0.05 0.01 151448 60 sed 143 0.09 0.82 1.48 0.10 0.01 0.55 14505 35 sadc 13 0.08 0.19 1.45 0.44 0.01 0.13 829088 19 more 3 0.04 0.07 2.17 0.59 0.02 0.03 30560 1 cut 14 0.03 0.09 0.28 0.37 0.01 0.33 154 13 uudemon. 76 0.03 0.66 2.30 0.05 0.01 0.29 43661 13 uuxqt 29 0.03 0.30 0.72 0.08 0.01 0.42 80765 35 mail 4 0.02 0.06 0.09 0.37 0.01 0.60 4540 9 ckstr 21 0.02 0.11 0.13 0.17 0.01 0.85 0 4 awk 13 0.02 0.12 0.21 0.15 0.01 0.54 444 2 ps 2 0.02 0.10 0.13 0.17 0.05 0.77 8060 21 find 9 0.02 3.35 5.73 0.00 0.37 0.58 355269 760 sar 1 0.01 0.19 0.24 0.08 0.19 0.80 564224 4 acctdisk 2 0.01 0.01 0.06 1.02 0.01 0.22 0 9 mv 24 0.01 0.14 0.17 0.10 0.01 0.81 3024 36 . . .

The data provided, by column, include the following:

COMMAND NAME	This is the name of the command. Unfortunately, all shell procedures are lumped together under the name sh because only object modules are reported by the process accounting system. It's a good idea to monitor the frequency of programs called a.out or core or any other name that does not seem quite right. acctcom can be used to determine who executed a suspiciously named command and if superuser privileges were used.
PRIME NUMBER CMNDS	This is the total number of invocations of this particular command during prime time.
TOTAL KCOREMIN	This is the total cumulative measurement of the kilobyte segments of memory used by a process per minute of run time.
PRIME TOTAL CPU-MIN:	This is the total processing time this program has
PRIME TOTAL REAL-MIN	This is the total real-time (wall-clock) minutes this
MEAN SIZE-K	This is the mean of the TOTAL KCOREMIN over the
MEAN CPU-MIN	This is the mean derived between the NUMBER CMDS
HOG FACTOR	This is the total CPU time divided by the elapsed time. This shows the ratio of system availability to system use, providing a relative measure of the total available CPU time consumed by the process during its execution.
CHARS TRNSFD	This column, which may go negative because of overflow, is a total count of the number of characters pushed around by the read and write system calls.
BLOCKS READ	This is a total count of the physical block reads and writes that a process performed.

Total Command Summary

The monthly command summary is similar to the daily command summary. The only difference is that the monthly command summary shows totals accumulated since the last invocation of monacct. A sample report appears below.

TOTAL COMMAND SUMMARY COMMAND NUMBER TOTAL TOTAL TOTAL MEAN MEAN HOG CHARS BLOCKS NAME CMDS KCOREMIN CPU-MIN REAL-MIN SIZE-K CPUMIN FACTOR TRNSFD READ TOTALS 301314 300607.70 4301.59 703979.81 69.88 0.01 0.01 6967631360 10596385 troff 480 58171.37 616.15 1551.26 94.41 1.28 0.40 650669248 194926 rnews 5143 29845.12 312.20 1196.93 95.59 0.06 0.26 1722128384 2375741 uucico 2710 16625.01 212.95 52619.21 78.07 0.08 0.00 228750872 475343 nroff 1613 15463.20 206.54 986.06 74.87 0.13 0.21 377563304 277957 vi 3040 14641.63 157.77 14700.13 92.80 0.05 0.01 116621132 206025 expire 14 13424.81 104.90 265.67 127.98 7.49 0.39 76292096 145456 comp 3483 12140.64 60.22 423.54 201.62 0.02 0.14 9584838 372601 ad_d 71 10179.20 50.02 1158.31 203.52 0.70 0.04 11385054 19489 as 2312 9221.59 44.40 285.52 207.68 0.02 0.16 35988945 221113 gone 474 8723.46 219.93 12099.01 39.67 0.46 0.02 10657346 19397 i10 299 8372.60 44.45 454.21 188.34 0.15 0.10 60169932 78664 find 760 8310.97 196.91 728.39 42.21 0.26 0.27 58966910 710074 ld 2288 8232.84 61.19 425.57 134.55 0.03 0.14 228701168 279530 fgrep 832 7585.34 62.62 199.11 121.14 0.08 0.31 22119268 37196 sh 56314 7538.40 337.60 291655.70 22.33 0.01 0.00 93262128 612892 du 624 5049.58 126.32 217.59 39.97 0.20 0.58 16096269 215297 ls 12690 4765.60 75.71 541.53 62.95 0.01 0.14 65759473 207920 vnews 52 4235.71 28.11 959.74 150.70 0.54 0.03 28291679 28285 . . .

See the listing under the section "Daily Command Summary" on page 182 for a description of the data.

Last Login Report

This report gives the date when a particular login was last used. You can use this information to find unused logins and login directories that may be archived and deleted. A sample report appears below.

Feb 13 04:40 1994 LAST LOGIN Page 1 00-00-00 **rje** 88-01-01 jlr 88-02-09 cec42 88-02-13 cec20 00-00-00 **rje** 88-01-13 crom 88-02-10 jgd 88-02-13 cec22 00-00-00 3bnet 88-01-14 usg 88-02-10 wbr 88-02-13 cec23 00-00-00 adm 88-01-17 cec11 88-02-11 cec30 88-02-13 cec24 00-00-00 daemon 88-01-17 cec38 88-02-11 cec41 88-02-13 cec25 00-00-00 notes 88-01-17 cec40 88-02-11 cec43 88-02-13 cec26 00-00-00 oas 88-01-18 cec60 88-02-11 cec53 88-02-13 cec27 00-00-00 pds 88-01-19 cec35 88-02-11 cec54 88-02-13 cec3 00-00-00 polaris 88-01-19 cec37 88-02-11 cec55 88-02-13 cec31 00-00-00 rje 88-01-22 dmk 88-02-11 cec56 88-02-13 cec32 00-00-00 shqer 88-01-26 ask 88-02-11 cec57 88-02-13 cec4 00-00-00 sys 88-01-26 cec39 88-02-11 cec58 88-02-13 cec6 00-00-00 trouble 88-01-27 sync 88-02-11 jwg 88-02-13 cec7 00-00-00 usors 88-02-02 pkl 88-02-11 skt 88-02-13 cec8 00-00-00 uucp 88-02-03 ibm 88-02-11 tfm 88-02-13 commlp 00-00-00 wna 88-02-03 slk 88-02-12 cec21 88-02-13 djs 87-07-06 lp 88-02-04 cec59 88-02-12 cec28 88-02-13 epic 87-07-30 dgn 88-02-05 cec33 88-02-12 cec29 88-02-13 jab 87-08-19 blg 88-02-05 cec34 88-02-12 csp 88-02-13 jcs 87-12-08 emna 88-02-05 cec36 88-02-12 drc 88-02-13 mak 88-01-14 s 88-02-05 cec51 88-02-12 emw 88-02-13 dn 88-01-09 rib 88-02-05 dfh 88-02-12 je 88-02-13 mlp 88-01-25 dmf 88-02-05 fsh 88-02-12 kab 88-02-13 nbh 88-01-25 emda 88-02-05 pkw 88-02-12 rap 88-02-13 rah . . .

Looking at the pacct File With acctcom

At any time, you can examine the contents of the /var/adm/pacctn files, or any file with records in the acct.h format, by using the acctcom program. If you don't specify any files and don't provide any standard input when you run this command, acctcom reads the pacct file. Each record read by acctcom represents information about a dead process (active processes may be examined by running the ps command). The default output of acctcom provides the following information:

• Command name (# sign if it was executed with superuser privileges)
• User
• tty name (listed as ? if unknown)
• Starting time
• Ending time
• Real time (in seconds)
• CPU time (in seconds)
• Mean size (in Kbytes)

The following information can be obtained by using options to acctcom:

• State of the fork/exec flag (1 for fork without exec)
• System exit status
• Hog factor
• Total kcore minutes
• CPU factor
• Characters transferred
• Blocks read

The options are:

-a	Show some average statistics about the processes selected. (The statistics are printed after the output is recorded.)
-b	Read the files backward, showing latest commands first. (This has no effect if reading standard input.)
-f	Print the fork/exec flag and system exit status columns. (The output is an octal number.)
-h	Instead of mean memory size, show the hog factor, which is the fraction of total available CPU time consumed by the process during its execution. Hog factor = total_CPU_time/elapsed_time.
-i	Print columns containing the I/O counts in the output.
-k	Show total kcoreminutes instead of memory size.
-m	Show mean core size (this is the default).
-q	Don't print output records, just print average statistics.

-r	Show CPU factor: user_time/(system_time + user_time).
-t	Show separate system and user CPU times.
-v	Exclude column headings from the output.
-C sec	Show only processes with total CPU time (system plus user) exceeding sec seconds.
-e time	Show processes existing at or before time, given in the format

              hr[:min[:sec]].
-E time       Show processes starting at or before time, given in the format
              hr[:min[:sec]]. Using the same time for both -S and -E shows
              processes that existed at the time.
-g group      Show only processes belonging to group.
-H factor     Show only processes that exceed factor, where factor is the "hog factor"
              (see the -h option.
-I chars      Show only processes transferring more characters than the cutoff
              number specified by chars.
-l line       Show only processes belonging to the terminal /dev/line.
-n pattern    Show only commands matching pattern (a regular expression as in ed
              except that "+" means one or more occurrences).
-o ofile       Instead of printing the records, copy them in acct.h format to ofile.
-O sec        Show only processes with CPU system time exceeding sec seconds.
-s time       Show processes existing at or after time, given in the format
              hr[:min[:sec]].
-S time       Show processes starting at or after time, given in the format
              hr[:min[:sec]].
-u user       Show only processes belonging to user.

Accounting Files

The /var/adm directory structure contains the active data collection files and is owned by the adm login (currently user ID of 4).

A brief description of the files found in the /var/adm directory follows:

dtmp                Output from the acctdusg program
fee                 Output from the chargefee program, ASCII tacct records

pacct	Active process accounting file
pacctn	Process accounting files switched using turnacct
Spacctn.MMDD	Process accounting files for MMDD during execution of

                    runacct

The /var/adm/acct directory contains the nite, sum, and fiscal directories, which contain the actual data collection files. For example, the nite directory contains files that are reused daily by the runacct procedure. A brief summary of the files in the /var/adm/acct/nite directory follows:

active......Used by runacct to record progress and print warning and error messages

active.MMDD            Same as active after runacct detects an error

cms                    ASCII total command summary used by prdaily

ctacct.MMDD            Connect accounting records in tacct.h format

ctmp                   Output of acctcon1 program, connect session records in 
                       ctmp.h format. (acctcon1 and acctcon2 are provided for 
                       compatibility purposes)

daycms                 ASCII daily command summary used by prdaily

daytacct               Total accounting records for one day in tacct.h format

disktacct              Disk accounting records in tacct.h format, created by the 
                       dodisk procedure

fd2log	Diagnostic output during execution of runacct (see "Setting Up Accounting" at the beginning of this chapter)
lastdate	Last day runacct executed (in date +%m%d format)
lock	Used to control serial use of runacct
lineuse	tty line usage report used by prdaily
log	Diagnostic output from acctcon
log.MMDD	Same as log after runacct detects an error
owtmp	Previous day's wtmp file
reboots	Beginning and ending dates from wtmp and a listing of reboots

statefile              Used to record current state during execution of runacct

tmpwtmp                wtmp file corrected by wtmpfix

wtmperror              Place for wtmpfix error messages

wtmperror.MMDD         Same as wtmperror after runacct detects an error

wtmp.MMDD              runacct's copy of the wtmp file

The sum directory contains the cumulative summary files updated by runacct and used by monacct. A brief summary of the files in the /var/adm/acct/sum directory follows:

cms	Total command summary file for current fiscal period in internal summary format
cmsprev	Command summary file without latest update
daycms	Command summary file for the day's usage in internal summary format

loginlog               Record of last date each user logged on; created by 
                       lastlogin and used in the prdaily program
rprt.MMDD              Saved output of prdaily program

tacct	Cumulative total accounting file for current fiscal period
tacctprev	Same as tacct without latest update
tacct.MMDDTotal command summary file for fiscal period n in internal summary format	Total accounting file for MMDD
fiscrptn	Report similar to rprtn for fiscal period n
tacctn	Total accounting file for fiscal period n

Quick Reference to Accounting

* To start accounting:

  /usr/lib/acct/startup

* To turn off accounting:

  /usr/lib/acct/shutacct

* To switch the pacct file to the pacctn file:

  /usr/lib/acct/ckpacct

* To examine the contents of pacct:

  /bin/acctcom

* To charge a fee:

  /usr/lib/acct/chargefee login_name amount

* To process accounting files into a daily summary:

  /usr/lib/acct/runacct 2 > /var/adm/acct/nite/fd2log

* To do disk accounting:

  /usr/lib/acct/dodisk

* To create a monthly accounting report:

  /usr/lib/acct/monacct fiscal_number

* To print tacct.h files in ASCII format:

/usr/lib/acct/prtacct filename