Daily accounting can help you track four types of accounting: connect accounting, process accounting, disk accounting, and fee calculations.
Connect accounting enables you to determine the following:
The length of time a user was logged in
How the tty lines are being used
The number of reboots on your system
The frequency with which the accounting software was turned off and on
To provide this information, the system stores records of time adjustments, boot times, times the accounting software was turned off and on, changes in run levels, the creation of user processes (login processes and init processes), and the deaths of processes. These records (produced from the output of system programs such as date, init, login, ttymon, and acctwtmp) are stored in the /var/adm/wtmpx file. Entries in the wtmpx file may contain the following information: a user's login name, a device name, a process ID, the type of entry, and a time stamp denoting when the entry was made.
Process accounting enables you to keep track of the following data about each process run on your system:
User and group IDs of those using the process
Beginning and elapsed times of the process
CPU time for the process (user time and system time)
Amount of memory used
Commands run
The tty controlling the process
Every time a process dies, the exit program collects this data and writes it to the /var/adm/pacct file.
Disk accounting enables you to gather and format the following data about the files each user has on disks:
Name and ID of the user
Number of blocks used by the user's files
This data is collected by the shell script /usr/lib/acct/dodisk at intervals determined by the entry you add to the /var/spool/cron/crontabs/root file. In turn, dodisk invokes the commands acctdusg and diskusg, which gather disk usage by login.
See "How to Set Up System Accounting" for more information about setting up dodisk.
The acctdusg(1M) command gathers all the disk accounting information. Each time it is invoked, this command can process a maximum of 3000 users.
Information gathered by running dodisk(1M) is stored in the /var/adm/acct/nite/disktacct file. This information is overwritten the next time dodisk is run. Therefore, avoid running dodisk twice in the same day.
The diskusg command may overcharge for files that are written in random access fashion, which may create holes in the files. This is because diskusg does not read the indirect blocks of a file when determining its size. Rather, diskusg determines the size of a file by looking at the di_size value of the inode.
The chargefee utility stores charges for special services provided to a user, such as file restoration, in the file /var/adm/fee. Each entry in the file consists of a user's login name, user ID, and the fee. This file is checked by the runacct program every day and new entries are merged into the total accounting records. For instructions on running chargefee to bill users, see "How to Bill Users".
Here is a step-by-step summary of how daily accounting works:
When the system is switched into multiuser mode, the /usr/lib/acct/startup program is executed. The startup program executes several other programs that invoke accounting.
The acctwtmp program adds a "boot" record to /var/adm/wtmpx. In this record, the system name is shown as the login name in the wtmpx record. The following table summarizes how the raw accounting data is gathered and where it is stored.
Table 32-1 Raw Accounting Data
The turnacct program, invoked with the -on option, begins process accounting. Specifically, turnacct executes the accton program with the /var/adm/pacct argument.
The remove shell script "cleans up" the saved pacct and wtmpx files left in the sum directory by runacct.
The login and init programs record connect sessions by writing records into /var/adm/wtmpx. Any date changes (using date with an argument) are also written to /var/adm/wtmpx. Reboots and shutdowns using acctwtmp are also recorded in /var/adm/wtmpx.
When a process ends, the kernel writes one record per process, using acct.h format, in the /var/adm/pacct file.
Every hour, cron executes the ckpacct program to check the size of /var/adm/pacct. If the file grows past 500 blocks (default), the turnacct switch is executed. (The program moves the pacct file and creates a new one.) The advantage of having several smaller pacct files becomes apparent when trying to restart runacct if a failure occurs when processing these records.
runacct is executed by cron each night. runacct processes the accounting files: /var/adm/pacctn, /var/adm/wtmpx, /var/adm/fee, and /var/adm/acct/nite/disktacct, to produce command summaries and usage summaries by login.
The /usr/lib/acct/prdaily program is executed on a daily basis by runacct to write the daily accounting information collected by runacct (in ASCII format) in /var/adm/acct/sum/rprt.MMDD.
The monacct program should be executed on a monthly basis (or at intervals determined by you, such as the end of every fiscal period). The monacct program creates a report based on data stored in the sum directory that has been updated daily by runacct. After creating the report, monacct "cleans up" the sum directory to prepare the directory's files for the new runacct data.
If the system is shut down using shutdown, the shutacct program is executed automatically. The shutacct program writes a reason record into /var/adm/wtmpx and turns off process accounting.