Skip to ContentSun and Oracle Channel Sun How to Buy Log In

System Administration Guide: Advanced Administration

View this book in:

Other Languages
日本語

Contained Within

Find More Documentation

Featured Support Resources

Download this book in PDF (2106 KB)

Chapter 19 Managing System Accounting (Tasks)

This section describes how to set up and maintain system accounting.

This is a list of the step-by-step instructions in this chapter.

This is a list of the overview information in this chapter.

For information on using extended accounting, see “Extended Accounting” in System Administration Guide: Resource Management and Network Services.

For reference information on the various system accounting reports, see Chapter 20, System Accounting (Reference).

What is System Accounting?

The SunOS 5.9 system accounting software is a set of programs that enables you to collect and record data about user connect time, CPU time charged to processes, and disk usage. Once you collect this data, you can generate reports and charge fees for system usage.

You can use the accounting programs to:

Monitor system usage
Locate and correct performance problems
Maintain system security

After you set up the system accounting programs, they run mostly on their own.

How System Accounting Works

Automatic accounting is set up by first putting the accounting startup script into root's crontab file. The accounting startup script can then be started automatically by the cron command.

The following overview illustrates the system accounting process.

Between system startup and shutdown, raw data about system use (such as user logins, running processes, and data storage) are collected in accounting files.
Periodically (usually once a day), the /usr/lib/acct/runacct script processes the various accounting files and produces both cumulative summary files and daily accounting reports. Then the /usr/lib/acct/prdaily script prints the daily reports.

For more information about the runacct script, see The runacct Script.
Monthly, you can process and print the cumulative runacct summary files by executing the monacct script. The summary reports produced by the monacct script provide an efficient means for billing users on a monthly or other fiscal basis.

System Accounting Components

The accounting software provides C language programs and shell scripts that organize data into summary files and reports. These programs reside in the /usr/lib/acct directories. The accounting reports reside in the /var/adm/acct directory.

Daily accounting can help you perform four types of auditing:

Connect
Process
Disk
Fee calculations

Connect Accounting

Connect accounting enables you to determine:

The length of time a user was logged in
How the tty lines are being used
The number of reboots on your system
How many times the accounting software was turned off and on

To provide this information, the system stores:

Records of time adjustments
Boot times
Times the accounting software was turned off and on
Changes in run levels
The creation of user processes (login processes and init processes), and the terminations of processes.

These records (produced from the output of system programs such as date, init, login, ttymon, and acctwtmp) are stored in the /var/adm/wtmpx file. Entries in the wtmpx file can contain the following information:

Login name
Device name
Process ID
Entry type
Time stamp that denotes when the entry was made.

Process Accounting

Process accounting enables you to keep track of the following data about each process that runs on your system:

User IDs and group IDs of users using the process
Beginning times and elapsed times of the process
CPU time for the process (user time and system time)
Amount of memory used
Commands run
The tty controlling the process

Every time a process terminates, the exit program collects this information and writes it to the /var/adm/pacct file.

Disk Accounting

Disk accounting enables you to gather and format the following data about the files each user has on disks:

User name and user ID of the user
Number of blocks used by the user's files

This data is collected by the /usr/lib/acct/dodisk shell script at intervals determined by the entry you add to the /var/spool/cron/crontabs/root file. In turn, the dodisk script invokes the acctdisk and acctdusg commands, which gather disk usage by login.

Caution –

Information gathered by running the dodisk script is stored in the /var/adm/acct/nite/disktacct file. This information is overwritten the next time the dodisk script is run. Therefore, avoid running the dodisk script twice in the same day.

The acctdusg command might overcharge for files that are written randomly, which can create holes in the files. This problem occurs because the acctdusg command does not read the indirect blocks of a file when determining the file size. Rather, the acctdusg command determines the file size by checking the di_size value of the inode.

Calculating User Fees

The chargefee utility stores charges for special services provided to a user, such as file restoration, in the /var/adm/fee file. Each entry in the file consists of a user login name, user ID, and the fee. This file is checked by the runacct script every day and new entries are merged into the accounting records. For instructions on running the chargefee script to bill users, see How to Bill Users.

How Daily Accounting Works

Here is a step-by-step summary of how daily accounting works:

When the system is switched into multiuser mode, the /usr/lib/acct/startup program is executed. The startup program executes several other programs that invoke daily accounting.

The acctwtmp program adds a “boot” record to the /var/adm/wtmpx file. In this record, the system name is shown as the user name in the wtmpx record. The following table summarizes how the raw accounting data is gathered and where it is stored.

Table 19–1 Raw Accounting Data


File in `/var/adm`	Information Stored	Written By	Format
`wtmpx`	Connect sessions	`login`, `init`	binary
	Changes	`date`
	Reboots	`acctwtmp`
	Shutdowns	`shutacct`
`pacctn`	Processes	Kernel (when the process ends)	binary
		`turnacct switch` (which creates a new file when the old one reaches 500 blocks)
`fee`	Special charges	`chargefee`	ASCII
`acct/nite/disktacct`	Disk space used	`dodisk`	binary

The turnacct script, invoked with the -on option, begins process accounting. Specifically, the turnacct script executes the accton program with the /var/adm/pacct argument.
The remove shell script “cleans up” the saved pacct and wtmpx files left in the sum directory by the runacct script.
The login and init programs record connect sessions by writing records into the /var/adm/wtmpx file. Date changes (using date with an argument) are also written to the /var/adm/wtmpx file. Reboots and shutdowns using the acctwtmp command are also recorded in the /var/adm/wtmpx the.
When a process ends, the kernel writes one record per process, using the acct.h format, in the /var/adm/pacct file.

Every hour, the cron command executes the ckpacct script to check the size of the /var/adm/pacct file. If the file grows past 500 blocks (default), the turnacct switch command is executed. (The program moves the pacct file to the pacctn file and creates a new one.) The advantage of having several smaller pacct files becomes apparent when you try to restart the runacct script if a failure occurs when processing these records.
The runacct script is executed by the cron command each night. The runacct script processes the accounting files: /var/adm/pacctn, /var/adm/wtmpx, /var/adm/fee, and /var/adm/acct/nite/disktacct, to produce command summaries and usage summaries by user name.
The /usr/lib/acct/prdaily script is executed on a daily basis by the runacct script to write the daily accounting information in the /var/adm/acct/sum/rprtMMDD files.
The monacct script should be executed on a monthly basis (or at intervals you determine, such as the end of every fiscal period). The monacct script creates a report based on data stored in the sum directory that has been updated daily by the runacct script. After creating the report, the monacct script “cleans up” the sum directory to prepare the directory's files for the new runacct data.

What Happens if the System Shuts Down

If the system is shut down using the shutdown command, the shutacct script is executed automatically. The shutacct script writes a reason record into the /var/adm/wtmpx file and turns off process accounting.

Setting Up System Accounting

You can set up system accounting to run while the system is in multiuser mode (system state 2). Generally, this task involves:

Creating the /etc/rc0.d/K22acct and /etc/rc2.d/S22acct startup scripts
Modifying the /var/spool/cron/crontabs/adm and /var/spool/cron/crontabs/root crontab files

The following table describes the default accounting scripts.

Table 19–2 Default Accounting Scripts


Accounting Script	Man Page	Purpose	Run Frequency
`ckpacct`	ckpacct(1M)	Checks the size of the `/usr/adm/pacct` log file and makes sure it does not get too large.	Periodically
`runacct`	runacct(1M)	Processes connect, disk, and fee accounting information. You can remove the commands from this script for the accounting features you do not want processed.	Daily
`monacct`	monacct(1M)	Generates fiscal accounting summary reports on a monthly basis. You can determine how often this script is run. You can remove the commands from this script for the accounting features you do not want generated.	On a fiscal basis

You can choose which accounting scripts run by default. After these entries have been added to the crontab files, accounting should run automatically.

How to Set Up System Accounting

Become superuser.

If necessary, install the SUNWaccr and SUNWaccu packages on your system by using the pkgadd command.

Install /etc/init.d/acct as the startup script for Run Level 2.
# ln /etc/init.d/acct /etc/rc2.d/S22acct

Install /etc/init.d/acct as the stop script for Run Level 0.
# ln /etc/init.d/acct /etc/rc0.d/K22acct

Add the following lines to the adm crontab file to start the ckpacct, runacct, and monacct scripts automatically.

# EDITOR=vi; export EDITOR
# crontab -e adm
0 * * * * /usr/lib/acct/ckpacct
30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
30 7 1 * * /usr/lib/acct/monacct

Add the following line to the root crontab file to start the dodisk script automatically.
# crontab -e 30 22 * * 4 /usr/lib/acct/dodisk

Edit /etc/acct/holidays to include national and local holidays.

For more information, see holidays(4) and the example that follows.

Reboot the system, or start accounting manually by typing:
# /etc/init.d/acct start

Examples—Setting Up Accounting

This modified adm crontab contains entries for the ckpacct, runacct, and monacct scripts.

#ident  "@(#)adm        1.5     92/07/14 SMI"    /* SVr4.0 1.2   */
#
# The adm crontab file should contain startup of performance 
# collection if the profiling and performance feature has been 
# installed.
0 * * * * /usr/lib/acct/ckpacct
30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
30 7 1 * * /usr/lib/acct/monacct

This modified root crontab contains entries for the dodisk program.

#ident  "@(#)root       1.19    98/07/06 SMI"   /* SVr4.0 1.1.3.1       */
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * * /usr/sbin/logadm
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
30 22 * * 4 /usr/lib/acct/dodisk

The following example shows a sample /etc/acct/holidays file.

* @(#)holidays	January 1, 2002
*
* Prime/Nonprime Table for UNIX Accounting System
*
* Curr	Prime	Non-Prime
* Year	Start	Start
*
  2002	0800	1800
*
* only the first column (month/day) is significant.
*
* month/day	Company
* 		Holiday
*
1/1		New Years Day
7/4		Indep. Day
12/25		Christmas

Billing Users

If you provide special user services by request, such as restoring files or remote printing, you might want to bill users by running the chargefee utility. The chargefee utility records charges in the /var/adm/fee file. Each time the runacct utility is executed, new entries are merged into the total accounting records.

See acctsh(1M) for more information.

How to Bill Users

Become superuser.

Charge a user for special services.

# /usr/lib/acct/chargefee username amount

`username`	User account you want to bill.
`amount`	Number of units to bill the user. This is an arbitrary unit that you set to charge users based on some task like printing or restoring a file. You would have to write a script that invokes `chargefee` and charges a user for a specific task.

Example—Billing Users

The following example charges the user print_customer 10 units.

# /usr/lib/acct/chargefee print_customer 10

Maintaining Accounting Information

This section describes how to fix corrupted accounting files and how to restart the runacct script.

Fixing Corrupted Files and `wtmpx` Errors

Unfortunately, system accounting is not foolproof. Occasionally, a file becomes corrupted or lost. Some of the files can simply be ignored or restored from backup. However, certain files must be fixed to maintain the integrity of system accounting.

The wtmpx files seem to cause the most problems in the daily operation of the system accounting. When the date is changed manually and the system is in multiuser mode, a set of date change records is written into the /var/adm/wtmpx file. The wtmpfix utility is designed to adjust the time stamps in the wtmp records when a date change is encountered. However, some combinations of date changes and reboots slip through the wtmpfix utility and cause the acctcon program to fail.

How to Fix a Corrupted `wtmpx` File

Become superuser.

Change to the /var/adm directory.

Convert the wtmpx file from binary to ASCII format.
# /usr/lib/acct/fwtmp < wtmpx > wtmpx.ascii

Edit wtmpx.ascii to delete the corrupted records.

Convert the wtmpx.ascii file back to a binary file.
# /usr/lib/acct/fwtmp -ic < wtmpx.ascii > wtmpx
See fwtmp(1M) for more information.

Fixing `tacct` Errors

The integrity of the /var/adm/acct/sum/tacct file is important if you are charging users for system resources. Occasionally, unusual tacct records appear with negative numbers, duplicate user IDs, or a user ID of 65535. First, check the /var/adm/acct/sum/tacctprev file by using the prtacct script to print it. If the contents look all right, patch the latest /var/adm/acct/sum/tacctMMDD file, then recreate the /var/adm/acct/sum/tacct file. The following steps outline a simple patch procedure.

How to Fix `tacct` Errors

Become superuser.

Change to the /var/adm/acct/sum directory.

Convert the tacctMMDD file from binary to ASCII format.
# /usr/lib/acct/acctmerg -v < tacctMMDD > xtacct
MMDD is pair of two-digit numbers that represent the month and day.

Edit the xtacct file, removing corrupted records and writing duplicate records to another file.

Convert the xtacct file from ASCII format to binary.
# /usr/lib/acct/acctmerg -i < xtacct > tacctMMDD
MMDD is pair of two-digit numbers that represent the month and day.

Merge the files tacctprev and tacct.MMDD into the tacct file.

# /usr/lib/acct/acctmerg < tacctprev tacctMMDD > tacct

Restarting the `runacct` Script

The runacct script can fail for a variety of reasons. The most common reasons are a system crash, the /var directory running out of space, or a corrupted wtmpx file. If the active.MMDD file exists, check it first for error messages. If the active and lock files exist, check fd2log for any relevant messages.

Run without arguments, the runacct script assumes that this invocation is the first invocation of the day. The argument MMDD is necessary if the runacct script is being restarted and specifies the month and day for which the runacct script reruns the accounting. The entry point for processing is based on the contents of the statefile file. To override the statefile file, include the desired state on the command line. For a description of the available states, see runacct(1M).