As you have learned by now, UNIX is a very complex operating system with many types of files, utilities, and programs. Your users are logging in and out, storing files, and running programs. One of the problems you may run into is keeping track of usage
of the system. UNIX system accounting was created to assist you in keeping track of your users and processes. UNIX system accounting can help you troubleshoot and tune your system performance. You can even give a value to the resources on your system. This
means that you can charge your users money or a fee for storing files and running processes. In this chapter, you will learn:
What is UNIX system accounting?
How do I set up and turn on the system accounting option?
The moment the UNIX system is up and running, the system accounting is tracking information about the system. Information is tracked until the system shutdown. The information that is tracked is as follows:
Users logging in and out of the system
How much and many resources a user processes has taken
How much disk space has been used by the users' files
Several processes and the UNIX kernel help the system track this usage. Several of these daemons have been covered in previous chapters.
When you boot the UNIX system into multiuser mode, UNIX runs a program called /usr/lib/acct/startup. startup is a shell script that runs other accounting programs and sets flags in the system to make the kernel and other processes to start recording
information. Some of the accounting programs that are run by the startup shell script are as follows:
These programs are discussed in the following sections.
The /usr/lib/acct/acctwtmp program writes a record into the file called /var/adm/wtmp. wtmp is a key file of the accounting system, containing records about users connecting to the system, date changes, reboots, and system startup and shutdowns.
Specifically, /var/adm/wtmp has information about the following:
A user's login name
The device the user is logging in on
The user's process id (PID)
How the user is logging in
The date and time the login was made
The record created by acctwtmp is a "boot" record containing the name of the system and the date and time the accounting system was started. You might see this information referred to as reasons in your man pages. In the startup and shutdown
script, you could see:
/usr/lib/acct/acctwtmp "Accounting System ON" >> /var/adm/wtmp
/usr/lib/acct/acctwtmp "Accounting System OFF" >> /var/adm/wtmp
If you were to list the /var/adm/wtmp file you would find entries for the two examples above. The wording might be slightly different depending upon your Operating System.
The /usr/lib/acct/turnacct program turns on the accounting system. If you look inside the startup shell script, you will see the line containing:
This program will run a special process called accton.
/var/adm/pacct has information about processes that are running the system. Specifically, /var/adm/pacct has information about the following:
Who is using the process
Group ID's of users using the process
The start and elapsed time of the process
The CPU timed used
The memory used
The commands run
The tty used to run or use the process.
NOTE: You will find a number of /var/adm/pacct files on your system over a period time. The reason for this is that UNIX runs a program called /usr/lib/acct/ckpacct. ckpacct will be discussed later in this
chapter, but for now suffice it to say that ckpacct checks the /var/adm/pacct for its size. If the /var/adm/pacct file is more than 500 blocks, ckpacct runs turnacct to move the current pacct file to /var/adm/pacct with an incremented version number
attached. For instance, /var/adm/pacct would be moved to the free name in /var/adm/pacct# (where # starts with the number 1 and is incremented by one every time an additional /var/adm/pacct is needed). The next time ckpacct runs turnacct, it
will move the /var/adm/pacct file to /var/adm/pacct1, and so on. This increment insures that the /var/adm/pacct file is kept in sequence and never overwritten.
/usr/lib/acct/remove will wipe out the /var/adm/acct/sum/pacct and /var/adm/acct/sum/wtmp files. The /var/adm/acct/sum directory contains accumulated summary files for most of the daily files tracked by the accounting system. You wouldn't want the file
to remain between "reboots" of the accounting system or even the operating system. These files are relevant only from one boot of the accounting system to the next. We will discuss the /var/adm/acct directory later in this chapter.
In a matter of minutes after the system comes up in multiuser mode, someone logs onto the system. No need to fear: the login and init programs are ready for them. login and init record the user's session by adding a record to the /var/adm/wtmp file.
Next, the user runs a process, and the UNIX kernel monitors the process and writes a record about this to the /var/adm/pacct file.
There are other programs that help the accounting periodically. The /usr/lib/acct/ckpacct file, which checks /var/adm/pacct for its size, is run every hour. The ckpacct shell script runs
to switch the current /var/adm/pacct to an archived file with a version number such as /var/adm/pacct1, /var/adm/pacct2, and so on. These archives will become important when you are recovering from a failure to process these files.
On a daily basis, the /usr/lib/acct/runacct program is run to create daily and cumulative totals for connections, fees, disk storage, and processes. You will learn more about runacct later in this chapter.
When the UNIX system is shut down, the shutdown utility invokes several shell scripts found in the /sbin/rc0.d directory. One of the shells, called k22acct, runs the utility
which will write a record into /var/adm/wtmp. The record is called the "reason" record. After this reason is written, the accounting system is then shutdown. Then the shutdown program finishes the system shutdown. See Chapter 34,
"Starting Up and Shutting Down," for more information about the shutdown program.
There are several things that you need to brush up on before starting the accounting system. The /sbin contains directories that the boot and the shutdown program use. We are concerned with only three of these directories.
Contains the scripts that are executed during the shutdown process
Contains the scripts that are executed during the boot process to multiuser mode
Contains the programs (links to shell scripts) that are executed as the UNIX system is being initialized
The /etc/rc0.d/K22acct is a shell script that shuts the accounting system down when the system is shutting down. The /etc/rc2.d/S22acct is the shell script that turns on the accounting system. Here is what you do to set up these files:
Link the /sbin/init.d/acct file to the /etc/rc0.d/K22acct.
$ link /etc/rc0.d/K22acct /sbin/init.d/acct $
Link the /sbin/init.d/acct file to the /etc/rc2.d/S22acct.
$ link /etc/rc2.d/S22acct /sbin/init.d/acct $
When the system is booted, the init process will run these scripts to start the system accounting option. The last thing you need to do is add entries in the crontab file. The crontab file is used by cron to run programs at predetermined times. See
Chapter 20, "Scheduling Processes," for more details on cron. We need to add ckpacct, runacct, monacct, and dodisk to the crontab file to finish the accounting system setup.
Edit the crontab file to add these utilities.
$ crontab -e
Add /usr/lib/acct/ckpacct to check /var/adm/pacct every hour to archive the pacct file after its size is more than 500 blocks.
0 * * * * /usr/lib/acct/ckpacct
Add /usr/lib/acct/runacct to run daily to process the accounting files to prepare daily and cumulative summary files. It is recommended that you run this file at off-hours of the morning. You can pick any time. For this example, we will use 1:30 a.m.
/usr/lib/acct/runacct is a shell program that is executed every day to process system usage. It will create daily summary files for the /usr/lib/acct/prdaily and /usr/lib/acct/monacct programs. prdaily is run by runacct to write daily accounting
information to the /var/adm/acct/sum/rprtMMDD file. MMDD is the month and day the file was created. monacct is the month usage report, which will be covered later in this chapter. There can be one of these files for every day of the week. runacct actually
writes information to several files.
Contains process information. ? represents the incremented /var/adm/pacct file.
Contains user information
Contains fees accessed for usage
Contains the disk space usage
You can find the output of the runacct program in the /var/adm/acct/nite directory. Other files in the /var/adm/acct/nite directory are as follows:
lock and lock1
These files may or may not exist. If they do exist, runacct will not run. It will "think" that it is already running. If you get an error concerning these files during an attempted execute of runacct, remove them with rm (remove command).
This file records the last date that runacct was executed. This file is checked to prevent runacct from being executed more than once daily.
This file contains the message generated by runacct. It will contain important error information in case runacct fails to run.
NOTE: If runacct does have an error, root will be notified by mail. It will write information to /var/adm/acct/nite/fd2log and remove the lock files.
The /usr/lib/acct/dodisk shell script cumulates disk usage information. This shell script program runs three programs.
Collects file data by reading the file INODES
Collects file statistics in the file system
Formats the data from diskusg or acctdusg
NOTE: Only one of the file data accounting programs needs to run. /usr/lib/acct/diskusg and /usr/lib/acct/acctdusg output the same information, but how they approach the information differs. diskusg is much
faster than acctdusg because it looks at the lowest level of file information in the INODE. To toggle between the two, the dodisk can invoke the -o option. The following script:
will run the diskusg method against the device file name of /dev/dsk/c1t0d0s2. If the device name is not specified, then diskusg will look in the /etc/vfstab file and process all the devices. This is very similar to the fsck command that looks at the
file system's INODE's when it checks the file system at boot time. This is much faster. The following script:
/usr/lib/acct/dodisk -o /user
will run the acctdusg method against the /user file system mounting point. If the mount point is not specified, the root mounting point is used.
Remember, if you want to use acctdusg, add the -o option to the dodisk line in the crontab file.
acctdisk will write the formatted output to the /var/adm/acct/nite/disktacct file. This file will have the following information about users' files on the system:
The user's login name
The user's id number
The number of blocks in use in the user's files
WARNING:dodisk stores all this information in /var/adm/acct/nite/disktacct. Each and every time dodisk is executed, it overwrites the /var/adm/acct/nite/disktacct file. Executing dodisk more than once
daily should be avoided.
If you are in a Computer Services department or part of a service provider, you may elect to charge other departments or users for the resource they use. UNIX has provided a program called chargefee that will charge your user for a number of services.
The charges that are generated by chargefee are stored in /var/adm/fee. Say that carolynp sends me a message to mount a tape for her on my system and I charge $1.50 for every mount.
$ chargefee carolynp 1.50
An entry in /var/adm/fee would be made having carolynp, her user id number, and 1.50. Later in my monthly accounting report charges for mounting tapes, restoring files, etc. can be polled into an invoice billed to the user. Most places will normally
charge for processor time and disk space on a monthly basis. The monacct program, which you can read about next, will generate a nice report to run charge-back scripts against the invoice users.
monacct runs monthly, or you can run it whenever your fiscal period ends, to generate files that summarize the statistic files created by dodisk and runacct. These files are stored in the /var/adm/acct/fiscal directory. After the monacct program is run,
the files created by dodisk and runacct removed and reset for the next fiscal period.
The Daily Report can be found in the /var/adm/acct/nite/lineuse file.
$ cat /var/adm/acct/nite/lineuse
Apr 06 01:33 1994 DAILY REPORT FOR excelsior Page 1
from Tue Apr 05 05:10:41 1994
to Wed Apr 06 01:31:20 1994
TOTAL DURATION IS 5155 MINUTES
LINE MINUTES PERCENT # SESS # ON #OFF
ttyp01 1541 30 4 9 5
ttyp10 2564 50 25 8 6
ttyp13 1050 20 15 3 4
TOTALS 5155 100 44 20 10
The detail of this report column by column are as follows:
The port that was accessing the system.
The number of minutes the line was in usage during the daily period.
The number of minutes in use divided by TOTAL DURATION. TOTAL DURATION is the number of minutes the system was in multiuser mode.
The number of times the port was accessed to log in to the system.
The number of times the port was used to log in the user into the system. Hey, if you see that the # SESS is very large compared to the # ON, then you have a problem. There might be someone hacking your system on that port.
The number of logoffs that occurred at that port and the number of interrupts like Ctrl-c, EOF, etc.
The amount of time the user's program required the use of CPU. This is rounded up to the nearest minute.
The amount of memory per minute used to run the programs. This is rounded up to the nearest kilobyte.
Total time the user was actually connected to the system.
The number of disk blocks used. This sum is placed by dodisk.
# OF PROCS
The number of processes the user executed.
# OF SESS
The number of sessions the user incurred by logging in to the system.
# DISK SAMPLES
The number of times acctdusg or diskusg was run to cumulate the average number of DISK BLOCKS.
The total amount of usage charges accessed to the user for this given period.
NOTE: You might have noticed that I didn't mention PRIME and NPRIME in the above list. PRIME is the prime-time hours for processing, and NPRIME is the non-prime hours for processing. For instance, holidays
would not be considered prime-time hours. You would expect that a majority of your users would not be on the system during the holiday. The file /etc/acct/holidays allows you to tailor the non-prime times for your company. Why would this be important? I
want to bill my customer a premium rate for using my system during the days or during the heavy processing hours. I will charge a lower rate at non-prime hours. For example, my prime-time hours are from 8:00 a.m. (800 hours) to 6:30 p.m. (1830 hours) for
1994. I would add the following entry in the /etc/acct/holidays file.
# Prime Time Hours for 1994
1994 0800 1830
Here is a sampling of my /etc/acct/holidays file:
$ cat /etc/acct/holidays
0101 New Year's Day
0528 Memorial Day
0704 Independence Day
# Prime Time Hours for 1994
1994 0800 1830
The Daily Command Summary Report can be found in the /var/adm/acct/nite/daycms file.
$ cat /var/adm/acct/nite/daycms
Apr 06 01:32 1994 DAILY COMMAND SUMMARY REPORT FOR excelsior Page 1
TOTAL COMMAND SUMMARY
COMMAND NUMBER TOTAL TOTAL TOTAL MEAN MEAN HOG CHARS BLOCKS
NAME CMDS KCOREMIN CPU-MIN REAL-MIN SIZE-K CPU-MIN FACTOR TRNSFD READ
TOTALS 2050 3.57 21.59 157.57 0.21 0.02 0.14 6570519 2726
csh 171 2.50 2.56 10.71 0.45 0.02 0.05 257429 212
grep 14 0.10 .56 2.71 0.40 0.01 0.34 17537 42
more 5 0.04 0.09 1.01 0.59 0.01 0.45 25414 2
awk 2 0.01 0.12 1.71 0.15 0.01 0.55 529 5
The Total Command Summary Report looks like the preceding report with one exception. It is a monthly summary showing total accumulated since last month or execution of monacct. This report can be seen in the /var/adm/acct/sum/cms file. Here are the
The name of the command.
The total number of times the command has been executed.
The total cumulative kilobytes segments used by the command.
The total processing time in minutes.
The actual processing time in minutes.
The mean of TOTAL KCOREMIN divided by execution.
The mean of executions divided by total processing time in minutes.
The total processing time divided by elapsed time. This is the utilization ratio of the system.
The total number of reads and writes to the file system.
The total number of physical block reads and writes.
NOTE: For purposes of illustration, I have deleted the PRIME and NPRIME column from this report. On your system, these will be there for you to view. See the previous note box about what PRIME and NPRIME
The Last Login Report can be found in the /var/adm/acct/sum/loginlog file. This report has the last login that your users have made on your system. Any entry that you find that is several months old could be a candidate to purge from your system.
In this chapter, you learned how to set up the accounting system to track your users and the processes they run. UNIX System Accounting can be a useful tool to help you tune your system and to plan for future expansion of hard disks, memory, and
processors. This is the most common usage of the accounting system. If you are a provider for UNIX resource, such as connections to the Internet, the accounting system allows you to bill those users for the use of your system.