Полезная информация

TOC BACK FORWARD HOME

UNIX Unleashed, System Administrator's Edition

- 21 -

UNIX System Accounting

The UNIX accounting system collects information on individual and group usage of the computer system resources. You may use this information as an accounting charge back system to bill users for the system resources utilized during a prescribed billing cycle. Accounting reports generated by the system accounting utilities provide information the systems administrator may use to assess current resource assignments, set resource limits and quotas, and forecast future resource requirements. This chapter will cover:

UNIX System Accounting Basics

Once the computer system has been initialized, and assuming the system accounting option is enabled, statistical collection begins. The data collection process encompasses the following categories:

The accounting system process begins by gathering statistical data from which summary reports can be generated. These reports may be used to assist in system performance analysis and provide the criteria necessary to establish an equitable customer charge back billing system. The aforementioned report categories include several types of reporting data that is collected to make up the accounting reports. Each category is described in the following sections.

Connect Session Statistics

The business units responsible for the organization's information technology (IT) services may use connect session statistics to charge customers for the time spent using system resources. This allows an organization to bill or charge back based on a user's actual connect time. Connect-session accounting data, related to user login and logout, is collected by the init and login commands. When a user logs in, the login program makes an entry in the /var/adm/wtmp file. These records maintain the following user information:

This information can be used to produce reports containing the following information:

Process Usage

System accounting also gathers statistics by individual processes. Examples of collected statistics include:

The statistical information is maintained in the accounting file /var/adm/pacct. This file is accessed by many of the accounting commands used with system accounting. After a process terminates, the kernel writes process specific information to the /var/adm/pacct file. This file contains:

System accounting provides commands to display, report, and summarize process information. Commands also exist (for example, the ckpacct command) to ensure that the process accounting file (/var/adm/pacct) does not grow beyond a specific size.

Disk Space Utilization

System accounting provides the ability for the systems administrator to monitor disk utilization by users. To restrict users to a specified disk usage limit, the systems administrator may implement a disk quota system. As a note, systems administrators should be aware that users can evade charges and quota restrictions for disk usage by changing the ownership of their files to that of another user. This allows an unsuspecting user to be charged fees that are rightfully someone else's. Disk usage commands perform three basic functions:

Printer Usage (AIX 4.2)

Printer usage data is stored in the /var/adm/qacct file in ASCII format. The qdaemon will write the ASCII data to the /var/adm/qacct file after a print job is completed. The record of data stored for each printer queue contains the following data:

Command Definitions

UNIX systems accounting supports numerous commands that can be run via cron and/or the command line. The following discusses some of these commands and the suggested execution method.

Commands That Run Automatically

There are several command entries that the systems administrator must install in the crontab file /var/spool/cron/crontabs/adm to begin collecting accounting data. This is the cron file for the adm user who owns all the accounting files and processes. These commands are intended to be executed by cron in a batch mode, but can be manually executed from the command line.

runacct Maintains the daily accounting procedures. This command works with the acctmerg command to produce the daily summary report files sorted by user name.
ckpacct Controls the size of the /var/adm/pacct file. When the /var/adm/pacct file grows larger than a specified number of blocks (default = 1000 blocks), it turns off accounting and moves the file off to a location equal to /var/adm/pacctx (x is the number of the file). Then ckpacct creates a new /var/adm/pacct for statistic storage. When the amount of free space on the filesystem falls below a designated threshold (default = 500 blocks), ckpacct automatically turns off process accounting. Once the free space exceeds the threshold, ckpacct restarts process accounting.
dodisk Dodisk produces disk usage accounting records by using the diskusg, acctdusg, and acctdisk commands. In the default case, dodisk creates disk accounting records on the special files. These special filenames are maintained in /etc/fstab for HP-UX 10.x and /etc/filesystems for AIX 4.2.x.
monacct Uses the daily reports created by the commands above to produce monthly summary reports.
sa1 System accounting data is collected and maintained in binary format in the file /var/adm/sa/sa{dd}, where {dd} is the day of the month.
sa2 This command removes reports from the /var/adm/sa/sa{dd} file that have been there longer than one week. It is also responsible for writing a daily summary report of system activity to the /var/adm/sa/sa{dd} file.

System Accounting Commands That Run Automatically or Manually

startup When added to the /etc/rc*.d directories, the startup command initiates startup procedures for the accounting system.
shutacct Records the time accounting was turned off by calling the acctwtmp command to write a line to the /var/adm/wtmp file. It then calls the turnacct off command to turn off process accounting.

Note: for AIX systems you would modify the /etc/rc file to reflect system accounting run configuration.

Manually Executed Commands

A member of the adm group or the user adm can execute the following commands:
ac Prints connect-time records. (AIX 4.2)
acctcom Displays process accounting summaries. (available to all users).
acctcon1 Displays connect-time summaries.
accton Turns process accounting on and off.
chargefee Charges the user a predetermined fee for units of work performed. The charges are added to the daily report by the acctmerg command.
fwtmp Converts files between binary and ASCII formats.
last Displays information about previous logins.
lastcomm Displays information about the last commands that were executed.
lastlogin Displays the time each user last logged in.
prctmp Displays session records.
prtacct Displays total accounting files.
sa Summarizes raw accounting information to help manage large volumes of accounting information. (AIX 4.2)
sadc Reports on various local system actions, such as buffer usage, disk and tape I/O activity, TTY device activity counters, and file access counters.
time Prints real time, user time, and system time required to execute a command.
timex Reports in seconds the elapsed time, user time, and execution time.
sar Writes to standard output the contents of selected cumulative activity counters in the operating system. The sar command reports only on local activities.

Configuration Procedures

Setting up system accounting involves configuring certain scripts and system files. The following discusses this process in more detail.

Setting Up the AIX 4.2 Accounting System

The first step in configuring AIX 4.2 system accounting is ensuring that the files pacct and wtmp exist and have the proper permission settings. As adm, use the nulladm command to set the access permissions to read (r) and write (w) permission for the file owner and group and read (r) permission for others. The nulladm command will also create the files if they do not exist on the system.

/usr/sbin/acct/nulladm wtmp pacct

A listing of the /var/adm directory structure follows, with the pacct and wtmp files shown:

# pwd
/var/adm
# ls -al
drwxrwxr-x   8 root     adm          512 May 10 08:00 .
drwxr-xr-x  14 bin      bin          512 Apr 01 06:03 ..
-rwxr-----   1 adm      adm          268 May 09 14:48 .profile
-rw-------   1 adm      adm          676 May 09 22:25 .sh_history
drwxrwxr-x   5 adm      adm          512 May 09 13:13 acct
dr-xr-x---   2 bin      cron         512 Apr 01 05:41 cron
-rw-r--r--   1 adm      adm            0 May 09 23:00 dtmp
-rw-rw-r--   1 adm      adm            0 May 09 14:46 fee
-rw-rw-r--   1 adm      adm            0 May 09 16:08 pacct
drwxrwxrwt   2 root     system       512 Apr 01 06:14 ras
drwxrwxr-x   2 adm      adm          512 May 10 00:00 sa
-rw-r--r--   1 root     system      3016 May 09 16:08 savacct
drwxrwxr-x   2 adm      adm          512 Apr 01 05:28 streams
-rw-------   1 root     system      1039 May 09 21:32 sulog
drwxr-xr-x   2 root     system       512 Apr 08 08:37 sw
-rw-r--r--   1 root     system       106 May 09 16:08 usracct
-rw-rw-r--   1 adm      adm         4032 May 10 08:46 wtmp

The /etc/acct/holidays file contains entries listing prime-time and observed holidays during a given calendar year. Therefore, this file will require the systems administrator to edit it on an annual basis.

Prime time must be the first line in the /etc/acct/holidays file that is not a comment. The prime time hours entry is based on a 24-hour clock, with midnight being either 0000 or 2400. Prime time represents the block of core business hours during a 24-hour period when the system resources are in their greatest demand (for example, transactional systems) by the user community. The /etc/acct/holidays file entry for prime time consists of three four-digit fields in the following order:

For example, to specify the year 1997, with prime time beginning at 7:30 a.m. and ending at 5:30 p.m., add the following line:

1997  0730  1730

Organizational holidays for the year follow the prime time line, with each line consisting of four fields in the following order:

The day-of-the-year field contains the numeric day of year (Julian date format--date +%j) on which the holiday occurs, and must be a number from 1 through 365 (366 in leap year). The other three fields are informational.

A listing of the /etc/acct/holidays file follows:

# cat /etc/acct/holidays
* COMPONENT_NAME:  (CMDACCT) Command Accounting
*
* Prime/Nonprime Table for AIX Accounting System
*
* Curr  Prime   Non-Prime
* Year  Start   Start
*
  1997  0730    1730
*
* Day of        Calendar        Company
* Year          Date            Holiday
*
    1           Jan 1           New Year's Day
  146           May 26          Memorial Day (Obsvd.)
  185           Jul 4           Independence Day
  244           Sep 1           Labor Day
  324           Nov 20          Thanksgiving Day
  325           Nov 21          Day after Thanksgiving
  359           Dec 25          Christmas Day
  365           Dec 31          New Years Eve

Process accounting is initialized by adding the following line to the /etc/rc program file. /etc/rc is the run control program used when the system is booted to its target run state. The startup procedure records the time that accounting was initialized and cleans up the previous day's accounting files.

/usr/bin/su - adm -c /usr/sbin/acct/startup

Each filesystem to be included in disk usage accounting must have the account variable set to true in its stanza entry in the /etc/filesystems file. The example stanzas for filesystem /home from /etc/filesystems shows the entry for disk usage accounting set to true and the filesystem stanza for /usr set to false. Therefore, disk usage account will occur for /home and not for /usr.

/home:
        dev             = /dev/hd1
        vfs             = jfs
        log             = /dev/hd8
        mount           = true
        check           = true
        vol             = /home
        free            = false
        account         = true

/usr:
        dev             = /dev/hd2
        vfs             = jfs
        log             = /dev/hd8
        mount           = automatic
        check           = false
        type            = bootfs
        vol             = /usr
        free            = false
  account         = false

Each printer queue to be included in printer usage accounting must have the acctfile variable pointing to a data file set in the printer queue stanza in /etc/qconfig. The example stanza for the printer queue HP_laser from /etc/qconfig shows printer usage accounting set to the default data file of /var/adm/qacct. Printer queue usage accounting information for the HP_laser queue will be stored in /var/adm/qacct.

HP_Laser:
        device = lp0
        acctfile = /var/adm/qacct
lp0:
        file = /dev/lp0
        header = never
        trailer = never
        access = both
        backend = /usr/lib/lpd/piobe

The nite, fiscal and sum directories must exist under /var/adm/acct so that storage of system accounting information can be maintained. Create the /var/adm/acct/nite, /var/adm/acct/fiscal, and /var/adm/acct/sum directories with permissions setting of 755 with owner and group set to adm. The following generalizes the usage of these directories and shows a sample directory listing of /var/adm/acct.

/var/adm/acct/nite Daily data and command files used by runacct
/var/adm/acct/sum summary data and command files used by runacct to produce summary reports
/var/adm/acct/fiscal summary data and command files used by monacct to produce monthly reports

# pwd
/var/adm/acct
# ls -al
drwxrwxr-x   5 adm      adm          512 May 09 13:13 .
drwxrwxr-x   8 root     adm          512 May 10 10:00 ..
drwxr-xr-x   2 adm      adm          512 May 09 13:13 fiscal
drwxr-xr-x   2 adm      adm          512 May 09 23:10 nite
drwxr-xr-x   2 adm      adm          512 May 09 14:46 sum
#

Login as the adm user and use crontab -e to edit the crontab file to activate the daily accounting functions. By editing the /var/spool/cron/crontabs/adm file, you are allowing cron to control the periodic collection and reporting of statistical data. See the example of the crontab entries for runacct, dodisk, ckpacct, and monacct below:

10 23 * * 0-6 /usr/lib/acct/runacct 2>/usr/adm/acct/nite/accterr > /dev/null
0  23 * * 0-6 /usr/lib/acct/dodisk > /dev/null 2>&1
0  *  * * *   /usr/lib/acct/ckpacct > /dev/null 2>&1
15 4  1 * *   /usr/lib/acct/monacct > /dev/null 2>&1

The first entry starts the runacct at 11:10 p.m. daily to process the active system accounting data files. The second entry starts the dodisk command at 11:00 p.m. daily to collect disk usage statistics. The third entry executes the ckpacct command every hour of every day to ensure that the system accounting /var/adm/pacct file does not exceed the specified default block size (1000 blocks is the normal default). The fourth and final entry executes the monacct command on the first day of the month to generate monthly summary accounting reports. Following is an example of the /var/spool/cron/crontabs/adm file with the runacct, dodisk, ckpacct, and monacct commands listed:

#************************************************************************************************************
#
#                  CRONTAB Job listing  -  Administration - System Level
#
#************************************************************************************************************
#  Min    *  Hour   *  Day    * Month   *  Day    *
# of the  * of the  * of the  * of the  * of the  * Command Syntax
#  Day    *  Day    * Month   * Year    *  Week   *
#************************************************************************************************************
#
#      PROCESS ACCOUNTING:
#                         runacct at 11:10 every night
#                         dodisk at 11:00 every night
#                         ckpacct every hour on the hour
#                         monthly accounting 4:15 the first of every month
#============================================================================================================
10    23    *     *     0-6   /usr/lib/acct/runacct 2>/usr/adm/acct/nite/accterr >/dev/null
0     23    *     *     0-6   /usr/lib/acct/dodisk >/dev/null 2>&1
0     *     *     *     *     /usr/lib/acct/ckpacct >/dev/null 2>&1
15    4     1     *     *     /usr/lib/acct/monacct >/dev/null 2>&1
#============================================================================================================

You are now ready for startup or shutdown of the System Accounting process with the following commands:

Startup:
/usr/bin/su - adm -c /usr/lib/acct/startup

Shutdown:
/usr/bin/su - adm -c /usr/lib/acct/shutacct

You may use the following command to verify the state (on or off) of system accounting processes.

# fwtmp < /var/adm/wtmp | pg

Sample truncated output:

LOGIN    .xxx.com:  dtremote      6 23528 0000 0000  863276614 Sat May 10 10:03:34 EST 1997
root     .xxx.com:  dtremote      7 23528 0000 0000  863276629 Sat May 10 10:03:49 EST 1997
LOGIN    .xxx.com:  dtremote      6 20920 0000 0000  863286997 Sat May 10 12:56:37 EST 1997
root     pts/2      pts/2         7 25506 0000 0000  863300368 Sat May 10 16:39:28 EST 1997
                    AIX, acctg    9     0 0000 0000  863300700 Sat May 10 16:45:00 EST 1997
                    accting off   9     0 0000 0000  863301549 Sat May 10 16:59:09 EST 1997
                    AIX, acctg    9     0 0000 0000  863301631 Sat May 10 17:00:31 EST 1997

The above example indicates where the systems administrator, started accounting (16:45), shutdown accounting (16:59) and then restarted accounting (17:00).

Setting Up the HP-UX 10.x Accounting System

The System Accounting package is usually installed onto the system when the operating system is configured. The administrator can check this with the following command :

#  swlist -l product | grep -i accounting
Accounting            B.10.10        Accounting

If the command does not return line 2 (example shown for a 10.10 HP-UX operating system), do not proceed until the "Systems Accounting Package" has been installed.

Once the systems administrator has confirmed that the "Systems Accounting Package" has been installed, he may proceed with the following configuration guidelines.

The first step in configuring HP-UX 10.x system accounting is ensuring that the files pacct and wtmp exist and have the proper permission settings. As root, use the nulladm command to set the access permissions to read (r) and write (w) permission for the file owner and group and read (r) permission for others. The nulladm command will also create the files if they do not exist on the system.

# /usr/lib/acct/nulladm wtmp pacct

A listing of the /var/adm directory structure follows, with the pacct and wtmp files highlighted:

# pwd
/var/adm
# ls -al
drwxrwxr-x   8 root     adm          512 May 10 08:00 .
drwxr-xr-x  14 bin      bin          512 Apr 01 06:03 ..
-rwxr-----   1 adm      adm          268 May 09 14:48 .profile
-rw-------   1 adm      adm          676 May 09 22:25 .sh_history
drwxrwxr-x   5 adm      adm          512 May 09 13:13 acct
dr-xr-x---   2 bin      cron         512 Apr 01 05:41 cron
-rw-r--r--   1 adm      adm            0 May 09 23:00 dtmp
-rw-rw-r--   1 adm      adm            0 May 09 14:46 fee
-rw-rw-r--   1 adm      adm            0 May 09 16:08 pacct
drwxrwxrwt   2 root     system       512 Apr 01 06:14 ras
drwxrwxr-x   2 adm      adm          512 May 10 00:00 sa
-rw-r--r--   1 root     system      3016 May 09 16:08 savacct
drwxrwxr-x   2 adm      adm          512 Apr 01 05:28 streams
-rw-------   1 root     system      1039 May 09 21:32 sulog
drwxr-xr-x   2 root     system       512 Apr 08 08:37 sw
-rw-r--r--   1 root     system       106 May 09 16:08 usracct
-rw-rw-r--   1 adm      adm         4032 May 10 08:46 wtmp
#

Following the above step, the systems administrator needs to edit the /etc/rc.config.d/acct file and set START_ACCT equal to one (1). This will start systems accounting each time the system is reset. An example of this is

# Process accounting.
#
# START_ACCT: Set to 1 to start process accounting
#
START_ACCT=1

The /etc/acct/holidays file contains entries listing prime-time and observed holidays during a given calendar year. Therefore, this file will require the systems administrator to edit it on an annual basis.

Prime time must be the first line in the /etc/acct/holidays file that is not a comment. The prime time hours entry is based on a 24-hour clock, with midnight being either 0000 or 2400. Prime time represents the block of core business hours during a 24-hour period when the system resources are in their greatest demand (transactional systems) by the user community. The /etc/acct/holidays file entry for prime time consists of three four-digit fields in the following order:

For example, to specify the year 1997, with prime time beginning at 7:30 a.m. and ending at 5:30 p.m., add the following line:

1997  0730  1730

Organizational holidays for the year follow the prime time line, with each line consisting of four fields in the following order:

The day-of-the-year field contains the numeric day of year (Julian date format--date +%j) on which the holiday occurs and must be a number from 1 through 365 (366 on leap year). The other three fields are only informational.

A listing of the /etc/acct/holidays file follows:

# cat /etc/acct/holidays
* COMPONENT_NAME:  (CMDACCT) Command Accounting
*
* Prime/Nonprime Table for HP-UX Accounting System
*
* Curr  Prime   Non-Prime
* Year  Start   Start
*
  1997  0730    1730
*
* Day of        Calendar        Company
* Year          Date            Holiday
*
    1           Jan 1           New Year's Day
  146           May 26          Memorial Day (Obsvd.)
  185           Jul 4           Independence Day
  244           Sep 1           Labor Day
  324           Nov 20          Thanksgiving Day
  325           Nov 21          Day after Thanksgiving
  359           Dec 25          Christmas Day
  365           Dec 31          New Years Eve

Disk Accounting Statistics

Each filesystem to be included in disk usage accounting must, by default, exist in the /etc/fstab file. The dodisk command has the option to accept the special filenames as input from the command line. If this is the case, only those special filenames listed will be included in the accounting process. If you wish to generate a report for a single disk device, for example, a filesystem under Logical Volume Manager(LVM), you would use the following command:

# /usr/lib/acct/dodisk   /dev/vg_name/lvol_name


NOTE: Logical Volume Manager is Hewlett-Packards (HP) subsystem for managing disk space. Its main feature is that it allows the systems administrator to group multiple physical disk drives under one filesystem.

If you wish to provide a sublist of filesystems from the /etc/fstab file, through your system editor create a file that contains the special device names for your filesystems--one filesystem per line. You would use the following command to read in a list of special files to include in the disk accounting process:

# /usr/lib/acct/dodisk <  list.filesystems

The nite, fiscal, and sum directories must exist under /var/adm/acct so that storage of system accounting information can be maintained. Create the /var/adm/acct/nite, /var/adm/acct/fiscal, and /var/adm/acct/sum directories with permission settings of 755 with owner and group set to adm. The following generalizes the usage of these directories and shows a sample directory listing of /var/adm/acct.

/var/adm/acct/nite Daily data and command files used by runacct
/var/adm/acct/sum Summary data and command files used by runacct to produce summary reports
/var/adm/acct/fiscal Summary data and command files used by monacct to produce monthly reports

A listing of the /var/adm/acct directory:

# pwd
/var/adm/acct
# ls -al
drwxrwxr-x   5 adm      adm          512 May 09 13:13 .
drwxrwxr-x   8 root     adm          512 May 10 10:00 ..
drwxr-xr-x   2 adm      adm          512 May 09 13:13 fiscal
drwxr-xr-x   2 adm      adm          512 May 09 23:10 nite
drwxr-xr-x   2 adm      adm          512 May 09 14:46 sum
#

Login as the adm user and use crontab -e to edit the crontab file to activate the daily accounting functions. By editing the /var/spool/cron/crontabs/adm file, you are allowing cron to control the periodic collection and reporting of statistical data. See the example of the crontab entries for runacct, dodisk, ckpacct, and monacct below:

10 23 * * 0-6 /usr/lib/acct/runacct 2>/usr/adm/acct/nite/accterr > /dev/null
0  23 * * 0-6 /usr/lib/acct/dodisk > /dev/null 2>&1
0  *  * * *   /usr/lib/acct/ckpacct > /dev/null 2>&1
15 4  1 * *   /usr/lib/acct/monacct > /dev/null 2>&1

The first entry starts the runacct command at 11:10 p.m. daily to process the active system accounting data files. The second entry starts the dodisk command at 11:00 p.m. daily to collect disk usage statistics. The third entry executes the ckpacct command every hour of every day to ensure that the system accounting /var/adm/pacct file does not exceed the specified default block size (1000 blocks is the normal default). The fourth and final entry executes the monacct command on the first day of the month to generate monthly summary accounting reports. Following is an example of the /var/spool/cron/crontabs/adm file with the runacct, dodisk, ckpacct, and monacct commands listed:

#************************************************************************************************************
#
#                  CRONTAB Job listing  -  Administration - System Level
#
#************************************************************************************************************
#  Min    *  Hour    *  Day    * Month    *  Day    *
# of the  * of the  * of the  * of the  * of the  * Command Syntax
#  Day    *  Day    * Month   * Year    *  Week   *
#************************************************************************************************************
#
#      PROCESS ACCOUNTING:
#                         runacct at 11:10 every night
#                         dodisk at 11:00 every night
#                         ckpacct every hour on the hour
#                         monthly accounting 4:15 the first of every month
#============================================================================================================
10     23     *     *     0-6   /usr/lib/acct/runacct 2>/usr/adm/acct/nite/accterr >/dev/null
0      23     *     *     0-6   /usr/lib/acct/dodisk >/dev/null 2>&1
0       *     *     *     *     /usr/lib/acct/ckpacct >/dev/null 2>&1
15      4     1     *     *     /usr/lib/acct/monacct >/dev/null 2>&1
#============================================================================================================

You are now ready for startup or shutdown of the System Accounting process with the following commands:

Startup:
/usr/bin/su - adm -c /usr/lib/acct/startup

Shutdown:
/usr/bin/su - adm -c /usr/lib/acct/shutacct

You may use the following command to verify the state (on or off) of System Accounting processes.

# fwtmp < /var/adm/wtmp | pg

Sample truncated output:

rc       sqnc                 90  8 0000 0000 863231977 May  9 21:39:37 1997
getty    cons               1127  5 0000 0000 863231977 May  9 21:39:37 1997
spserver ShPr               1128  5 0000 0000 863231977 May  9 21:39:37 1997
uugetty  a0                 1130  5 0000 0000 863231977 May  9 21:39:37 1997
LOGIN    cons console       1127  6 0000 0000 863231977 May  9 21:39:37 1997
LOGIN    a0   ttyd0p7       1130  6 0000 0000 863231977 May  9 21:39:37 1997
              acctg on         0  9 0000 0000 863232395 May  9 21:46:35 1997
root     p1   ttyp1          634  8 0000 0000 863236183 May  9 22:49:43 1997
LOGIN    p1   pty/ttyp1     1712  6 0000 0000 863270875 May 10 08:27:55 1997
root     p1   ttyp1         1712  7 0000 0003 863270881 May 10 08:28:01 1997
root     p1   ttyp1         1712  8 0000 0000 863281484 May 10 11:24:44 1997
LOGIN    p1   pty/ttyp1     1923  6 0000 0000 863288678 May 10 13:24:38 1997
root     p1   ttyp1         1923  7 0000 0003 863288690 May 10 13:24:50 1997
LOGIN    p2   pty/ttyp2     2155  6 0000 0000 863294925 May 10 15:08:45 1997
              acctg off        0  9 0000 0000 863300425 May 10 16:40:25 1997

The above example indicates where the systems administrator started accounting (21:46:35) and shut down accounting (16:40:25).

Setting Up the Solaris 2.5 Accounting System

Begin by making sure that SUNWaccr and SUNWaccu software packages are installed.

      # pkginfo -l SUNWaccu

Sample output:

   PKGINST:  SUNWaccu
      NAME:  System Accounting, (Usr)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.5.1,REV=95.10.27.15.23
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  utilities for accounting and reporting of system activity
    PSTAMP:  raid951027152556
  INSTDATE:  Jun 11 1997 08:13
   HOTLINE:  Please contact your local service provider
    STATUS:  completely installed
     FILES:     43 installed pathnames
                 4 shared pathnames
                 5 directories
                36 executables
                 1 setuid/setgid executables
               453 blocks used (approx)
# pkginfo -l SUNWaccr
sample output:
   PKGINST:  SUNWaccr
      NAME:  System Accounting, (Root)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.5.1,REV=95.10.27.15.23
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  utilities for accounting and reporting of system activity
    PSTAMP:  raid951027152552
  INSTDATE:  Jun 11 1997 08:13
   HOTLINE:  Please contact your local service provider
    STATUS:  completely installed
     FILES:     18 installed pathnames
                 7 shared pathnames
                 1 linked files
                13 directories
                 2 executables
                 6 blocks used (approx)

If you do not receive output similar to the above example listings, use either pkgadd or swmtool to install these software packages.

Set up the link necessary for starting system accounting at system initialization.

    # ln /etc/init.d/acct /etc/rc2.d/S22acct 

Set up the link necessary for shutting down system accounting at system shutdown.

    # ln /etc/init.d/acct /etc/rc0.d/K22acct

Add the following entries to the /var/spool/cron/crontabs/adm file:

    0 * * * * /usr/lib/acct/ckpacct
    10 23 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log 
    15 04 1 * * /usr/lib/acct/monacct
      

Please note that these entries will be processed by crontab file for the adm user and must follow the cron format.

#************************************************************************************************************
#
#                  CRONTAB Job listing  -  adm - System Level
#
#************************************************************************************************************
#  Min    *  Hour   *  Day    * Month   *  Day    *
# of the  * of the  * of the  * of the  * of the  * Command Syntax
#  Day    *  Day    * Month   * Year    *  Week   *
#************************************************************************************************************
#
#      PROCESS ACCOUNTING:
#                         runacct at 11:10 every night
#                         ckpacct every hour on the hour
#                         monthly accounting 4:15 the first of every month
#============================================================================================================
10     23    *     *     0-6   /usr/lib/acct/runacct 2>/usr/adm/acct/nite/fd2log 
0      *     *     *     *     /usr/lib/acct/ckpacct >/dev/null 2>&1
15     4     1     *     *     /usr/lib/acct/monacct >/dev/null 2>&1
#============================================================================================================

Add the following entry to the /var/spool/cron/crontabs/root file:

    00 23 * * 0-6 /usr/lib/acct/dodisk >/dev/null 2>&1

#************************************************************************************************************
#
#                  CRONTAB Job listing  -  Root - System Level
#
#************************************************************************************************************
#  Min    *  Hour   *  Day    * Month   *  Day    *
# of the  * of the  * of the  * of the  * of the  * Command Syntax
#  Day    *  Day    * Month   * Year    *  Week   *
#************************************************************************************************************
#
#      PROCESS ACCOUNTING:
#                         dodisk at 11:00 every night
#============================================================================================================
0     23     *     *     0-6     /usr/lib/acct/dodisk >/dev/null 2>&1
#============================================================================================================

Adjust /etc/acct/holidays to reflect both national and company holidays you want your system to recognize.

A listing of the /etc/acct/holidays file follows:

# cat /etc/acct/holidays
* COMPONENT_NAME:  (CMDACCT) Command Accounting
*
* Prime/Nonprime Table for Solaris Accounting System
*
* Curr  Prime   Non-Prime
* Year  Start   Start
*
  1997  0730    1730
*
* Day of        Calendar        Company
* Year          Date            Holiday
*
    1           Jan 1           New Year's Day
  146           May 26          Memorial Day (Obsvd.)
  185           Jul 4           Independence Day
  244           Sep 1           Labor Day
  324           Nov 20          Thanksgiving Day
  325           Nov 21          Day after Thanksgiving
  359           Dec 25          Christmas Day
  365           Dec 31          New Years Eve

System accounting can now be started by either rebooting the machine or issuing the runacct command. Take note that executing runacct without any arguments causes the process to assume that this is the first time that runacct has been run for that day. If you are attempting to restart system accounting, be sure to add the appropriate MMDD (DD = Day and MM = Month) argument on the command line.

You are now ready for startup or shutdown of the system accounting process with the following commands:

Startup:
/usr/bin/su - adm -c /usr/lib/acct/startup

Shutdown:
/usr/bin/su - adm -c /usr/lib/acct/shutacct

You may use the following command to verify the state (on or off) of System accounting processes.

# fwtmp < /var/adm/wtmp | pg

Sample truncated output:

.telnet  tn20 /dev/pts/4        1118  6 0000 0000 871178077 Sat May  10 20:54:37 1997
root     tn20 pts/4             1118  7 0000 0000 871178098 Sat May  10 20:54:58 1997
              acctg off            0  9 0000 0000 871179345 Sat May  10 16:10:45 1997
              acctg on             0  9 0000 0000 871179352 Sat May  10 21:15:52 1997

The above example indicates where the systems administrator, started accounting (21:15:52) and shutdown accounting (16:10:45).

System Accounting Directory Structure

Most UNIX system accounting takes advantage of a hierarchical (see Figure 21.1) approach when laying out its control and data files. This allows the accounting process to maintain temporary and permanent files in logical locations. Each directory in this layer stores related groups of files, commands, or other sub-directories.

Figure 21.1.
System accounting directory structure.

According to systems documentation (HP-UX, AIX, and Solaris), the following system accounting structures are laid out as described in the following sections. Please refer to your system's documentation for more detailed information.

System Accounting High-Level Directory Layout

/var/adm Maintains data-collection files
/var/adm/acct Directories for nite, sum and fiscal
/var/adm/acct/nite Daily data and command files used by runacct
/var/adm/acct/sum Summary data and command files used by runacct to produce summary reports
/var/adm/acct/fiscal Summary data and command files used by monacct to produce monthly reports
/usr/lib/acct System accounting commands
/sbin Shell scripts rc and shutdown procedures
/etc/rc.config.d/acct Set variable START_ACCT equal to 1 to activate accounting at system boot (HP-UX 10.X)
/etc/rc Run command file that executes at system startup and when the system changes run state.

Files in the /var/adm directory
/var/adm/diskdiag Diagnostic output during the execution of disk accounting programs
/var/adm/dtmp Output from the acctdusg command
/var/adm/fee Output from the chargefee command, in ASCII tacct records
/var/adm/pacct Active process accounting file
/var/adm/wtmp Active process accounting file
/var/adm/Spacct?.mmdd Process accounting files for mmdd during the execution of runacct

Files in the /var/adm/acct/nite Directory
{{mmdd}} {{mmdd}} is the month and day a file was created and is appended to the previous version of the data file.
active Contains warning and error messages generated from runacct execution.
active{{mmdd}} Copy of the active file after runacct encounters an error condition.
ctacct.{{mmdd}} Total accounting records created from connect session accounting.
ctmp Output of acctcon1. It contains a list of login sessions sorted by userid and login names.
Daycms ASCII daily command summary used by prdaily.
daytacct Total accounting records for current day.
disktacct Total accounting records created by the dodisk command.
fd2log Diagnostic output from the execution of runacct.
lastdate The last day runacct was executed, in +%{{m}}%{{d}}format.
lock and lock1 Used to control serial use of runacct.
lineuse Terminal (tty) line usage report used by prdaily.
log Diagnostics output from acctcon1.
log{{mmdd}} Same as log after runacct detects an error.
reboots Contains beginning and ending dates from wtmp, and a listing of reboots.
statefile Used to record the current state being executed by runacct.
tmpwtmp wtmp file, corrected by wtmpfix.
wtmperror Error messages, if any, from wtmpfix.
wtmperrorr{{mmdd}} Same as wtmperror after runacct detects an error.
wtmp.{{mmdd}} The previous day's wtmp file.

Files in the /var/adm/acct/sum Directory
cms Total command summary file for current month in internal summary format.
cmsprev Command summary file without latest update.
daycms Command summary file for previous day in internal summary format.
loginlog Shows the last login date for each user.
rpt{{mmdd}} Daily accounting report for date {{mmdd}}.
tacct Cumulative total accounting file for current month.
tacctprev Same as tacct without latest update.
tacct{{mmdd}} Total accounting file for date {{mmdd}}.
wtmp.{{mmdd}} Saved copy of wtmp file for date {{mmdd}}. Removed after reboot.

Files in the /var/adm/acct/fiscal Directory

cms{mm} Total command summary for month {mm} in internal summary format.
Fiscrpt{mm} Report similar to prdaily for the month {mm}.
tacct{mm} Total accounting file for the month {mm}.

The acctmerg command can convert records between ASCII and binary formats and merge records from different sources into a single record for each user.

System Accounting Report Generation

After completing system accounting configuration, your system is ready to produce accounting reports. The following covers the basics of report generation for Systems Accounting.

Generation of System Accounting Data Reports

acctcom

The acctcom utility allows you to see the accounting system data at any given time. This command may be executed from the command line with several different options. It is one of the most useful commands for getting a quick report from the system without the need to find a file.

This option will show the average statistics about processes.

$ acctcom -a

An example of a truncated listing:

COMMAND                      START    END          REAL      CPU     MEAN
NAME       USER    TTYNAME  TIME     TIME       (SECS)   (SECS)  SIZE(K)
#accton    root   [Dhatch]  17:57:07 17:57:07     0.00     0.00    56.00
#acctwtmp  root     pts/2   17:57:07 17:57:07     0.00     0.00    60.00
#fwtmp     root     pts/2   17:57:07 17:57:07     0.03     0.00   160.00
#awk       root     pts/2   17:57:07 17:57:07     0.02     0.02   106.00
#fwtmp     root     pts/2   17:57:07 17:57:07     0.05     0.00     0.00
#dspmsg    root     pts/2   17:57:07 17:57:07     0.00     0.00     0.00
#cat       root     pts/2   17:57:07 17:57:07     0.00     0.00   336.00
#wtmpfix   root     pts/2   17:57:07 17:57:07     0.05     0.00     0.00
#dspmsg    root     pts/2   17:57:07 17:57:07     0.02     0.02   192.00
#acctcon1  root     pts/2   17:57:08 17:57:08     0.17     0.02    96.00
#sort      root     pts/2   17:57:08 17:57:08     0.25     0.00    82.00
#acctcon2  root     pts/2   17:57:08 17:57:08     0.05     0.00   168.00
#acctmerg  root     pts/2   17:57:08 17:57:08     0.05     0.00     0.00
#dspmsg    root     pts/2   17:57:08 17:57:08     0.00     0.00     0.00
#basename  root     pts/2   17:57:08 17:57:08     0.03     0.00   138.00
#sed       root     pts/2   17:57:08 17:57:08     0.03     0.00   136.00
#acctprc1  root     pts/2   17:57:08 17:57:08     0.05     0.02   184.00
#acctprc2  root     pts/2   17:57:08 17:57:08     0.05     0.00    68.00
#acctmerg  root     pts/2   17:57:08 17:57:08     0.02     0.00     0.00
#mv        root     pts/2   17:57:08 17:57:08     0.02     0.00     0.00
#acctcms   root     pts/2   17:57:09 17:57:09     0.02     0.00    96.00
#lsuser    root     pts/2   17:57:09 17:57:09     0.86     0.20    89.00
#grep      root     pts/2   17:57:09 17:57:09     0.86     0.00   164.00
#uniq      root     pts/2   17:57:10 17:57:10     0.05     0.00     0.00
#egrep     root     ?       17:57:22 17:57:22     0.03     0.02   114.00
.
.
.
#tail      root     ?       18:23:09 18:23:09     0.05     0.00   148.00
#fgrep     root     ?       18:24:10 18:24:10     0.00     0.00     0.00
#egrep     root     ?       18:24:10 18:24:10     0.00     0.00     0.00
#acctcom   root     pts/2   18:24:28 18:24:28     0.39     0.27    58.00

cmds=287 Real=2.92   CPU=0.04   USER=0.01   SYS=0.03   CHAR=29767.60 BLK=0.00     USR/TOT=0.24 HOG=1.20

This option will show the amount of user time per total time (system time plus user time).

$ acctcom -r

An example of a truncated listing:

COMMAND                      START    END         REAL      CPU      CPU
NAME       USER    TTYNAME   TIME     TIME       (SECS)   (SECS)   FACTOR
#accton    root   [Dhatch]  17:57:07 17:57:07     0.00     0.00     0.00
#bsh       root     pts/2   17:57:06 17:57:06     0.20     0.02     0.00
#mv        root     pts/2   17:57:07 17:57:07     0.02     0.02     0.00
#cp        root     pts/2   17:57:07 17:57:07     0.02     0.02        1
#acctwtmp  root     pts/2   17:57:07 17:57:07     0.02     0.00     0.00
#fwtmp     root     pts/2   17:57:07 17:57:07     0.02     0.00     0.00
#awk       root     pts/2   17:57:07 17:57:07     0.03     0.02     0.00
#sed       root     pts/2   17:57:07 17:57:07     0.03     0.00     0.00
#fwtmp     root     pts/2   17:57:07 17:57:07     0.08     0.02        1
#cp        root     pts/2   17:57:07 17:57:07     0.02     0.00     0.00
#chmod     root     pts/2   17:57:07 17:57:07     0.00     0.00     0.00
#chown     root     pts/2   17:57:07 17:57:07     0.02     0.00     0.00
#bsh       root     pts/2   17:57:07 17:57:07     0.08     0.02     0.00
#acctwtmp  root     pts/2   17:57:07 17:57:07     0.00     0.00     0.00
#fwtmp     root     pts/2   17:57:07 17:57:07     0.03     0.00     0.00
.
.
.
#telnet    root   [Dhatch]  17:37:21 18:28:39  3078.00     2.14    0.124
#egrep     root     ?       18:31:47 18:31:47     0.02     0.00     0.00
#tail      root     ?       18:31:47 18:31:47     0.06     0.02     0.00
sendmail   root     ?       18:33:32 18:33:32     0.02     0.00     0.00
#acctcom   root     pts/2   18:33:51 18:33:51     0.47     0.36    0.304

This option will show all the processes that have been executed by the user wdwood.

$ acctcom -u wdwood

An example of a truncated listing:

COMMAND                      START    END          REAL      CPU     MEAN
NAME       USER     TTYNAME  TIME     TIME       (SECS)   (SECS)  SIZE(K)
#accton    wdwood  [Dhatch] 17:57:07 17:57:07     0.00     0.00    56.00
#bsh       wdwood   pts/2   17:57:06 17:57:06     0.20     0.02     0.00
#mv        wdwood   pts/2   17:57:07 17:57:07     0.02     0.02     0.00
#cp        wdwood   pts/2   17:57:07 17:57:07     0.02     0.02   182.00
#acctwtmp  wdwood   pts/2   17:57:07 17:57:07     0.02     0.00     0.00
#fwtmp     wdwood   pts/2   17:57:07 17:57:07     0.02     0.00     0.00
#awk       wdwood   pts/2   17:57:07 17:57:07     0.03     0.02   121.00
#sed       wdwood   pts/2   17: