System Administration Guide: Advanced Administration

Chapter 19 Managing System Accounting (Tasks)

This section describes how to set up and maintain system accounting.

This is a list of the step-by-step instructions in this chapter.

This is a list of the overview information in this chapter.

For information on using extended accounting, see “Extended Accounting” in System Administration Guide: Resource Management and Network Services.

For reference information on the various system accounting reports, see Chapter 20, System Accounting (Reference).

What is System Accounting?

The SunOS 5.9 system accounting software is a set of programs that enables you to collect and record data about user connect time, CPU time charged to processes, and disk usage. Once you collect this data, you can generate reports and charge fees for system usage.

You can use the accounting programs to:

After you set up the system accounting programs, they run mostly on their own.

How System Accounting Works

Automatic accounting is set up by first putting the accounting startup script into root's crontab file. The accounting startup script can then be started automatically by the cron command.

The following overview illustrates the system accounting process.

  1. Between system startup and shutdown, raw data about system use (such as user logins, running processes, and data storage) are collected in accounting files.

  2. Periodically (usually once a day), the /usr/lib/acct/runacct script processes the various accounting files and produces both cumulative summary files and daily accounting reports. Then the /usr/lib/acct/prdaily script prints the daily reports.

    For more information about the runacct script, see The runacct Script.

  3. Monthly, you can process and print the cumulative runacct summary files by executing the monacct script. The summary reports produced by the monacct script provide an efficient means for billing users on a monthly or other fiscal basis.

System Accounting Components

The accounting software provides C language programs and shell scripts that organize data into summary files and reports. These programs reside in the /usr/lib/acct directories. The accounting reports reside in the /var/adm/acct directory.

Daily accounting can help you perform four types of auditing:

Connect Accounting

Connect accounting enables you to determine:

To provide this information, the system stores:

These records (produced from the output of system programs such as date, init, login, ttymon, and acctwtmp) are stored in the /var/adm/wtmpx file. Entries in the wtmpx file can contain the following information:

Process Accounting

Process accounting enables you to keep track of the following data about each process that runs on your system:

Every time a process terminates, the exit program collects this information and writes it to the /var/adm/pacct file.

Disk Accounting

Disk accounting enables you to gather and format the following data about the files each user has on disks:

This data is collected by the /usr/lib/acct/dodisk shell script at intervals determined by the entry you add to the /var/spool/cron/crontabs/root file. In turn, the dodisk script invokes the acctdisk and acctdusg commands, which gather disk usage by login.


Caution – Caution –

Information gathered by running the dodisk script is stored in the /var/adm/acct/nite/disktacct file. This information is overwritten the next time the dodisk script is run. Therefore, avoid running the dodisk script twice in the same day.


The acctdusg command might overcharge for files that are written randomly, which can create holes in the files. This problem occurs because the acctdusg command does not read the indirect blocks of a file when determining the file size. Rather, the acctdusg command determines the file size by checking the di_size value of the inode.

Calculating User Fees

The chargefee utility stores charges for special services provided to a user, such as file restoration, in the /var/adm/fee file. Each entry in the file consists of a user login name, user ID, and the fee. This file is checked by the runacct script every day and new entries are merged into the accounting records. For instructions on running the chargefee script to bill users, see How to Bill Users.

How Daily Accounting Works

Here is a step-by-step summary of how daily accounting works:

  1. When the system is switched into multiuser mode, the /usr/lib/acct/startup program is executed. The startup program executes several other programs that invoke daily accounting.

  2. The acctwtmp program adds a “boot” record to the /var/adm/wtmpx file. In this record, the system name is shown as the user name in the wtmpx record. The following table summarizes how the raw accounting data is gathered and where it is stored.

    Table 19–1 Raw Accounting Data

    File in /var/adm

    Information Stored 

    Written By 

    Format 

    wtmpx

    Connect sessions  

    login, init

    binary 

     

    Changes

    date

     

     

    Reboots

    acctwtmp

     

     

    Shutdowns

    shutacct

     

    pacctn

    Processes 

    Kernel (when the process ends)  

    binary 

     

     

    turnacct switch (which creates a new file when the old one reaches 500 blocks)

     

    fee

    Special charges 

    chargefee

    ASCII 

    acct/nite/disktacct

    Disk space used 

    dodisk

    binary 

  3. The turnacct script, invoked with the -on option, begins process accounting. Specifically, the turnacct script executes the accton program with the /var/adm/pacct argument.

  4. The remove shell script “cleans up” the saved pacct and wtmpx files left in the sum directory by the runacct script.

  5. The login and init programs record connect sessions by writing records into the /var/adm/wtmpx file. Date changes (using date with an argument) are also written to the /var/adm/wtmpx file. Reboots and shutdowns using the acctwtmp command are also recorded in the /var/adm/wtmpx the.

  6. When a process ends, the kernel writes one record per process, using the acct.h format, in the /var/adm/pacct file.

    Every hour, the cron command executes the ckpacct script to check the size of the /var/adm/pacct file. If the file grows past 500 blocks (default), the turnacct switch command is executed. (The program moves the pacct file to the pacctn file and creates a new one.) The advantage of having several smaller pacct files becomes apparent when you try to restart the runacct script if a failure occurs when processing these records.

  7. The runacct script is executed by the cron command each night. The runacct script processes the accounting files: /var/adm/pacctn, /var/adm/wtmpx, /var/adm/fee, and /var/adm/acct/nite/disktacct, to produce command summaries and usage summaries by user name.

  8. The /usr/lib/acct/prdaily script is executed on a daily basis by the runacct script to write the daily accounting information in the /var/adm/acct/sum/rprtMMDD files.

  9. The monacct script should be executed on a monthly basis (or at intervals you determine, such as the end of every fiscal period). The monacct script creates a report based on data stored in the sum directory that has been updated daily by the runacct script. After creating the report, the monacct script “cleans up” the sum directory to prepare the directory's files for the new runacct data.

What Happens if the System Shuts Down

If the system is shut down using the shutdown command, the shutacct script is executed automatically. The shutacct script writes a reason record into the /var/adm/wtmpx file and turns off process accounting.

Setting Up System Accounting

You can set up system accounting to run while the system is in multiuser mode (system state 2). Generally, this task involves:

  1. Creating the /etc/rc0.d/K22acct and /etc/rc2.d/S22acct startup scripts

  2. Modifying the /var/spool/cron/crontabs/adm and /var/spool/cron/crontabs/root crontab files

The following table describes the default accounting scripts.

Table 19–2 Default Accounting Scripts

Accounting Script 

Man Page 

Purpose 

Run Frequency 

ckpacct

ckpacct(1M)

Checks the size of the /usr/adm/pacct log file and makes sure it does not get too large.

Periodically 

runacct

runacct(1M)

Processes connect, disk, and fee accounting information. You can remove the commands from this script for the accounting features you do not want processed. 

Daily 

monacct

monacct(1M)

Generates fiscal accounting summary reports on a monthly basis. You can determine how often this script is run. You can remove the commands from this script for the accounting features you do not want generated. 

On a fiscal basis 

You can choose which accounting scripts run by default. After these entries have been added to the crontab files, accounting should run automatically.

How to Set Up System Accounting

  1. Become superuser.

  2. If necessary, install the SUNWaccr and SUNWaccu packages on your system by using the pkgadd command.

  3. Install /etc/init.d/acct as the startup script for Run Level 2.


    # ln /etc/init.d/acct /etc/rc2.d/S22acct
    
  4. Install /etc/init.d/acct as the stop script for Run Level 0.


    # ln /etc/init.d/acct /etc/rc0.d/K22acct
    
  5. Add the following lines to the adm crontab file to start the ckpacct, runacct, and monacct scripts automatically.


    # EDITOR=vi; export EDITOR
    # crontab -e adm
    0 * * * * /usr/lib/acct/ckpacct
    30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
    30 7 1 * * /usr/lib/acct/monacct
  6. Add the following line to the root crontab file to start the dodisk script automatically.


    # crontab -e
    30 22 * * 4 /usr/lib/acct/dodisk
  7. Edit /etc/acct/holidays to include national and local holidays.

    For more information, see holidays(4) and the example that follows.

  8. Reboot the system, or start accounting manually by typing:


    # /etc/init.d/acct start
    

Examples—Setting Up Accounting

This modified adm crontab contains entries for the ckpacct, runacct, and monacct scripts.


#ident  "@(#)adm        1.5     92/07/14 SMI"    /* SVr4.0 1.2   */
#
# The adm crontab file should contain startup of performance 
# collection if the profiling and performance feature has been 
# installed.
0 * * * * /usr/lib/acct/ckpacct
30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
30 7 1 * * /usr/lib/acct/monacct

This modified root crontab contains entries for the dodisk program.


#ident  "@(#)root       1.19    98/07/06 SMI"   /* SVr4.0 1.1.3.1       */
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * * /usr/sbin/logadm
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
30 22 * * 4 /usr/lib/acct/dodisk

The following example shows a sample /etc/acct/holidays file.


* @(#)holidays	January 1, 2001
*
* Prime/Nonprime Table for UNIX Accounting System
*
* Curr	Prime	Non-Prime
* Year	Start	Start
*
  1999	0800	1800
*
* only the first column (month/day) is significant.
*
* month/day	Company
* 		Holiday
*
1/1		New Years Day
7/4		Indep. Day
12/25		Christmas

Billing Users

If you provide special user services by request, such as restoring files or remote printing, you might want to bill users by running the chargefee utility. The chargefee utility records charges in the /var/adm/fee file. Each time the runacct utility is executed, new entries are merged into the total accounting records.

See acctsh(1M) for more information.

How to Bill Users

  1. Become superuser.

  2. Charge a user for special services.


    # /usr/lib/acct/chargefee username amount
    

    username

    User account you want to bill. 

    amount

    Number of units to bill the user. This is an arbitrary unit that you set to charge users based on some task like printing or restoring a file. You would have to write a script that invokes chargefee and charges a user for a specific task.

Example—Billing Users

The following example charges the user print_customer 10 units.


# /usr/lib/acct/chargefee print_customer 10

Maintaining Accounting Information

This section describes how to fix corrupted accounting files and how to restart the runacct script.

Fixing Corrupted Files and wtmpx Errors

Unfortunately, system accounting is not foolproof. Occasionally, a file becomes corrupted or lost. Some of the files can simply be ignored or restored from backup. However, certain files must be fixed to maintain the integrity of system accounting.

The wtmpx files seem to cause the most problems in the daily operation of the system accounting. When the date is changed manually and the system is in multiuser mode, a set of date change records is written into the /var/adm/wtmpx file. The wtmpfix utility is designed to adjust the time stamps in the wtmp records when a date change is encountered. However, some combinations of date changes and reboots slip through the wtmpfix utility and cause the acctcon program to fail.

How to Fix a Corrupted wtmpx File

  1. Become superuser.

  2. Change to the /var/adm directory.

  3. Convert the wtmpx file from binary to ASCII format.


    # /usr/lib/acct/fwtmp < wtmpx > wtmpx.ascii 
    
  4. Edit wtmpx.ascii to delete the corrupted records.

  5. Convert the wtmpx.ascii file back to a binary file.


    # /usr/lib/acct/fwtmp -ic < wtmpx.ascii > wtmpx
    

    See fwtmp(1M) for more information.

Fixing tacct Errors

The integrity of the /var/adm/acct/sum/tacct file is important if you are charging users for system resources. Occasionally, unusual tacct records appear with negative numbers, duplicate user IDs, or a user ID of 65535. First, check the /var/adm/acct/sum/tacctprev file by using the prtacct script to print it. If the contents look all right, patch the latest /var/adm/acct/sum/tacctMMDD file, then recreate the /var/adm/acct/sum/tacct file. The following steps outline a simple patch procedure.

How to Fix tacct Errors

  1. Become superuser.

  2. Change to the /var/adm/acct/sum directory.

  3. Convert the tacctMMDD file from binary to ASCII format.


    # /usr/lib/acct/acctmerg -v < tacctMMDD > xtacct
    

    MMDD is pair of two-digit numbers that represent the month and day.

  4. Edit the xtacct file, removing corrupted records and writing duplicate records to another file.

  5. Convert the xtacct file from ASCII format to binary.


    # /usr/lib/acct/acctmerg -i < xtacct > tacctMMDD
    

    MMDD is pair of two-digit numbers that represent the month and day.

  6. Merge the files tacctprev and tacct.MMDD into the tacct file.


    # /usr/lib/acct/acctmerg < tacctprev tacctMMDD > tacct
    

Restarting the runacct Script

The runacct script can fail for a variety of reasons. The most common reasons are a system crash, the /var directory running out of space, or a corrupted wtmpx file. If the active.MMDD file exists, check it first for error messages. If the active and lock files exist, check fd2log for any relevant messages.

Run without arguments, the runacct script assumes that this invocation is the first invocation of the day. The argument MMDD is necessary if the runacct script is being restarted and specifies the month and day for which the runacct script reruns the accounting. The entry point for processing is based on the contents of the statefile file. To override the statefile file, include the desired state on the command line. For a description of the available states, see runacct(1M).


Caution – Caution –

When you run the runacct program manually, be sure to run it as user adm.


How to Restart the runacct Script

  1. Remove the lastdate file and any lock* files, if any.


    $ cd /var/adm/acct/nite
    $ rm lastdate lock*
    

    The lastdate file contains the date that the runacct program was last run. Restarting runacct in the next step recreates this file.

  2. Restart the runacct script.


    $ /usr/lib/acct/runacct MMDD [state] 2> /var/adm/acct/nite/fd2log &
    

    MMDD

    Month and day specified by two-digit numbers. 

    state

    Specifies a state, or starting point, where the runacct processing should begin.

Stopping and Disabling System Accounting

You can temporarily stop system accounting or disable it permanently.

How to Temporarily Stop System Accounting

  1. Become superuser.

  2. Edit the adm crontab file to stop the ckpacct, runacct, and monacct programs from running by commenting out the appropriate lines.


    # EDITOR=vi; export EDITOR
    # crontab -e adm
    #0 * * * * /usr/lib/acct/ckpacct
    #30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
    #30 7 1 * * /usr/lib/acct/monacct
  3. Edit the crontab file for user root to stop the dodisk program from running by commenting out the appropriate line.


    # crontab -e 
    #30 22 * * 4 /usr/lib/acct/dodisk
  4. Stop the accounting program.


    # /etc/init.d/acct stop
    
  5. (Optional) Remove the newly added comment symbols from the crontab files and restart the accounting program to re-enable system accounting.


    # /etc/init.d/acct start
    

How to Permanently Disable System Accounting

  1. Become superuser.

  2. Edit the adm crontab file and delete the entries for the ckpacct, runacct, and monacct programs.


    # EDITOR=vi; export EDITOR
    # crontab -e adm
    
  3. Edit the root crontab file and delete the entries for the dodisk program.


    # crontab -e
    
  4. Remove the startup script for Run Level 2.


    # unlink /etc/rc2.d/S22acct
    
  5. Remove the stop script for Run Level 0.


    # unlink /etc/rc0.d/K22acct
    
  6. Stop the accounting program.


    # /etc/init.d/acct stop