Home

Process Accounting

Issue 104

From Issue #104
December 2002

Dec 01, 2002  By Keith Gilbertson
 in
One notch in your security belt, maybe for tracking gaming time, here's some basic how-tos.
Standard Process Accounting Commands

Even if process accounting facilities have been compiled into your kernel, you might not have the user commands for process accounting installed on your system. If this is the case, and you're looking to get started quickly, first try finding the process accounting commands for your specific Linux distribution.

The package for your distribution likely is configured to place log files in the appropriate location for your system's setup, making installation much simpler. On my Red Hat 7.2 distribution CDs, I found the ps-acct-6.3.2-9.i386.rpm on the second disk, in the directory. If you use the gnorpm graphical install tool, the package will appear in the Packages/Applications/System hierarchy. On a Debian system, install the acct package.

If you're installing from source, two versions of the utilities are available. One version, under the BSD license, is available at www.ibiblio.org/pub/Linux/system/admin/accounts. The filename will be similar to acct-1.3.73.tar.gz, with small differences depending on the version number. In order to get these utilities to compile on my system, I had to edit the lastcomm.c file and comment out the prototype for the strcpy function.

There is also a process accounting utilities set written by Noel Cragg and licensed under the GNU GPL. It's available at www.gnu.org/directory/System_administration/Monitoring/acct.html.

The exact process accounting commands installed on your system will vary depending on the particular package you've chosen. Table 1 shows a list of the commands you could encounter and the purpose of each.

Table 1. Process Accounting Commands

Installation of the GNU Accounting Utilities

Let's take a quick look at how to install the GNU Accounting Utilities on a system. Use the following commands:

tar zxvf acct_6.3.5.orig.tar.gz
cd acct-6.3.5
./configure
make
su
make install

A few basic process accounting commands have now been installed on your system. You're now ready to turn on the accounting and start using the commands.

Using the Utilities

In this brief introduction to using the process accounting commands, I look at two commands, accton and lastcomm. I've chosen these two commands because they are standard on all process accounting versions.

The accton command switches process accounting on or off. If a filename is specified on the command line, that filename will be used to log the process accounting information. If no argument is specified, process accounting will be switched off.

To start the process accounting facilities on your system, su to become root. Make sure that the log file exists by performing a touch on the desired location. Example:

touch  /var/log/pacct

Then type the full path to your accton program (usually /usr/sbin/accton or /sbin/accton) followed by the filename. Example: 

/sbin/accton /var/log/pacct
You've just started the process accounting facilities. Note that the data actually is not added to the file when each process begins execution; it is written when a process exits. The aforementioned project manager can play the xbill game all day long and not have this information written to the process accounting file, as long as he never exits the program. When he goes home at night, he can choose to leave xbill running and minimize the window, or he can simply power off his computer without performing a proper shutdown.

Now that you've switched on the accounting, run a few normal commands as an ordinary user to get some data for the lastcomm command, which you'll use next. When you're finished, su to root once more, and run /usr/sbin/accton or /sbin/accton with no arguments to switch off process accounting.

The lastcomm command prints information contained in the accounting log files, with the most recent record printed first. You can use the -f command-line option to specify a filename. Typically, the process accounting log file on a system is set up so that only root can read it. This command is then executed by root, for example:

lastcomm -f /var/log/pacct

When you type in the above command, the output is similar to this: 

id         root   stdin  0.00 secs Mon Jul 22 12:41
xauth   S  root   stdin  0.00 secs Mon Jul 22 12:41
xauth   S  keithg stdin  0.00 secs Mon Jul 22 12:41
xauth   S  keithg stdin  0.01 secs Mon Jul 22 12:41
bubbles  X keithg ??     0.01 secs Mon Jul 22 12:33
ls         keithg ??     0.01 secs Mon Jul 22 12:26
bash     X keithg ??     0.03 secs Mon Jul 22 08:25
lastcomm displays the command name, options, user name, terminal and exit time for each command. A particular command, user or terminal also can be specified on the command line. For example, if you want to find instances only of when the su program was started, you can type: 
lastcomm -f /var/log/pacct --command su
Now you'll see output like this: 
su      root     ??      0.01 secs Mon Jul 22 10:52
su      keithg   stdout  0.05 secs Mon Jul 22 09:32
su      keithg   stdout  0.00 secs Mon Jul 22 09:17
su      root     ??      0.00 secs Mon Jul 22 03:29
su      keithg   tty1    0.00 secs Sun Jul 21 19:49
Notice that on each line, the command listed in the left column is now su. For more details about these commands and the other programs in the table, see the respective man pages.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

process accounting

Anonymous's picture
Submitted by Anonymous (not verified) on Fri, 11/17/2006 - 09:25.

any one show me the way how can i use my /var/account/pacct.*.gz files
for monthly account without using crontab filed
any can explain the structure of these files

Must read for those who want to monitor proccesses more closely

djatlantic's picture
Submitted by djatlantic (not verified) on Wed, 10/12/2005 - 21:06.

Thanks for the article.

process uptimes

gnuyoga's picture
Submitted by gnuyoga (not verified) on Sat, 09/02/2006 - 02:40.

can be effectively used to find process uptimes as well.

Nice article. thanks

CPU Usage

JP's picture
Submitted by JP (not verified) on Mon, 12/11/2006 - 23:28.

Hi
Can it be used to find total cpu usage?

I want an equivalent of acctcom

Thanks & Regards
JP

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions