Process Accounting

One notch in your security belt, maybe for tracking gaming time, here's some basic how-tos.
Standard Process Accounting Commands

Even if process accounting facilities have been compiled into your kernel, you might not have the user commands for process accounting installed on your system. If this is the case, and you're looking to get started quickly, first try finding the process accounting commands for your specific Linux distribution.

The package for your distribution likely is configured to place log files in the appropriate location for your system's setup, making installation much simpler. On my Red Hat 7.2 distribution CDs, I found the ps-acct-6.3.2-9.i386.rpm on the second disk, in the directory. If you use the gnorpm graphical install tool, the package will appear in the Packages/Applications/System hierarchy. On a Debian system, install the acct package.

If you're installing from source, two versions of the utilities are available. One version, under the BSD license, is available at www.ibiblio.org/pub/Linux/system/admin/accounts. The filename will be similar to acct-1.3.73.tar.gz, with small differences depending on the version number. In order to get these utilities to compile on my system, I had to edit the lastcomm.c file and comment out the prototype for the strcpy function.

There is also a process accounting utilities set written by Noel Cragg and licensed under the GNU GPL. It's available at www.gnu.org/directory/System_administration/Monitoring/acct.html.

The exact process accounting commands installed on your system will vary depending on the particular package you've chosen. Table 1 shows a list of the commands you could encounter and the purpose of each.

Table 1. Process Accounting Commands

Installation of the GNU Accounting Utilities

Let's take a quick look at how to install the GNU Accounting Utilities on a system. Use the following commands:

tar zxvf acct_6.3.5.orig.tar.gz
cd acct-6.3.5
./configure
make
su
make install

A few basic process accounting commands have now been installed on your system. You're now ready to turn on the accounting and start using the commands.

Using the Utilities

In this brief introduction to using the process accounting commands, I look at two commands, accton and lastcomm. I've chosen these two commands because they are standard on all process accounting versions.

The accton command switches process accounting on or off. If a filename is specified on the command line, that filename will be used to log the process accounting information. If no argument is specified, process accounting will be switched off.

To start the process accounting facilities on your system, su to become root. Make sure that the log file exists by performing a touch on the desired location. Example:

touch  /var/log/pacct

Then type the full path to your accton program (usually /usr/sbin/accton or /sbin/accton) followed by the filename. Example:

/sbin/accton /var/log/pacct
You've just started the process accounting facilities. Note that the data actually is not added to the file when each process begins execution; it is written when a process exits. The aforementioned project manager can play the xbill game all day long and not have this information written to the process accounting file, as long as he never exits the program. When he goes home at night, he can choose to leave xbill running and minimize the window, or he can simply power off his computer without performing a proper shutdown.

Now that you've switched on the accounting, run a few normal commands as an ordinary user to get some data for the lastcomm command, which you'll use next. When you're finished, su to root once more, and run /usr/sbin/accton or /sbin/accton with no arguments to switch off process accounting.

The lastcomm command prints information contained in the accounting log files, with the most recent record printed first. You can use the -f command-line option to specify a filename. Typically, the process accounting log file on a system is set up so that only root can read it. This command is then executed by root, for example:

lastcomm -f /var/log/pacct

When you type in the above command, the output is similar to this:

id         root   stdin  0.00 secs Mon Jul 22 12:41
xauth   S  root   stdin  0.00 secs Mon Jul 22 12:41
xauth   S  keithg stdin  0.00 secs Mon Jul 22 12:41
xauth   S  keithg stdin  0.01 secs Mon Jul 22 12:41
bubbles  X keithg ??     0.01 secs Mon Jul 22 12:33
ls         keithg ??     0.01 secs Mon Jul 22 12:26
bash     X keithg ??     0.03 secs Mon Jul 22 08:25
lastcomm displays the command name, options, user name, terminal and exit time for each command. A particular command, user or terminal also can be specified on the command line. For example, if you want to find instances only of when the su program was started, you can type:
lastcomm -f /var/log/pacct --command su
Now you'll see output like this:
su      root     ??      0.01 secs Mon Jul 22 10:52
su      keithg   stdout  0.05 secs Mon Jul 22 09:32
su      keithg   stdout  0.00 secs Mon Jul 22 09:17
su      root     ??      0.00 secs Mon Jul 22 03:29
su      keithg   tty1    0.00 secs Sun Jul 21 19:49
Notice that on each line, the command listed in the left column is now su. For more details about these commands and the other programs in the table, see the respective man pages.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

process accounting

Anonymous's picture

any one show me the way how can i use my /var/account/pacct.*.gz files
for monthly account without using crontab filed
any can explain the structure of these files

Must read for those who want to monitor proccesses more closely

djatlantic's picture

Thanks for the article.

process uptimes

gnuyoga's picture

can be effectively used to find process uptimes as well.

Nice article. thanks

CPU Usage

JP's picture

Hi
Can it be used to find total cpu usage?

I want an equivalent of acctcom

Thanks & Regards
JP

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix