Daily Accounting

Daily accounting can help you track four types of accounting: connect accounting, process accounting, disk accounting, and fee calculations.

Connect Accounting

Connect accounting enables you to determine the following:

• The length of time a user was logged in

• How the tty lines are being used

• The number of reboots on your system

• The frequency with which the accounting software was turned off and on

To provide this information, the system stores records of time adjustments, boot times, times the accounting software was turned off and on, changes in run levels, the creation of user processes (login processes and init processes), and the deaths of processes. These records (produced from the output of system programs such as date, init, login, ttymon, and acctwtmp) are stored in the /var/adm/wtmpx file. Entries in the wtmpx file may contain the following information: a user's login name, a device name, a process ID, the type of entry, and a time stamp denoting when the entry was made.

Process Accounting

Process accounting enables you to keep track of the following data about each process run on your system:

• User and group IDs of those using the process

• Beginning and elapsed times of the process

• CPU time for the process (user time and system time)

• Amount of memory used

• Commands run

• The tty controlling the process

Every time a process dies, the exit program collects this data and writes it to the /var/adm/pacct file.

Disk Accounting

Disk accounting enables you to gather and format the following data about the files each user has on disks:

• Name and ID of the user

• Number of blocks used by the user's files

This data is collected by the shell script /usr/lib/acct/dodisk at intervals determined by the entry you add to the /var/spool/cron/crontabs/root file. In turn, dodisk invokes the commands acctdusg and diskusg, which gather disk usage by login.

See "How to Set Up System Accounting" for more information about setting up dodisk.

The acctdusg(1M) command gathers all the disk accounting information. Each time it is invoked, this command can process a maximum of 3000 users.

Information gathered by running dodisk(1M) is stored in the /var/adm/acct/nite/disktacct file. This information is overwritten the next time dodisk is run. Therefore, avoid running dodisk twice in the same day.

The diskusg command may overcharge for files that are written in random access fashion, which may create holes in the files. This is because diskusg does not read the indirect blocks of a file when determining its size. Rather, diskusg determines the size of a file by looking at the di_size value of the inode.

Calculating User Fees

The chargefee utility stores charges for special services provided to a user, such as file restoration, in the file /var/adm/fee. Each entry in the file consists of a user's login name, user ID, and the fee. This file is checked by the runacct program every day and new entries are merged into the total accounting records. For instructions on running chargefee to bill users, see "How to Bill Users".

How Daily Accounting Works

Here is a step-by-step summary of how daily accounting works:

1. When the system is switched into multiuser mode, the /usr/lib/acct/startup program is executed. The startup program executes several other programs that invoke accounting.

2. The acctwtmp program adds a "boot" record to /var/adm/wtmpx. In this record, the system name is shown as the login name in the wtmpx record. The following table summarizes how the raw accounting data is gathered and where it is stored.

   Table 32-1 Raw Accounting Data

   File in /var/adm	Information	Written By	Format
   wtmpx	Connect sessions	login, init	utmpx.h
   	Changes	date
   	Reboots	acctwtmp
   	Shutdowns	shutacct shell
   pacctn	Processes	Kernel (when the process ends)	acct.h
   		turnacct switch (creates a new file when the old one reaches 500 blocks)
   fee	Special charges	chargefee	acct.h
   acct/nite/disktacct	Disk space used	dodisk	tacct.h

3. The turnacct program, invoked with the -on option, begins process accounting. Specifically, turnacct executes the accton program with the /var/adm/pacct argument.

4. The remove shell script "cleans up" the saved pacct and wtmpx files left in the sum directory by runacct.

5. The login and init programs record connect sessions by writing records into /var/adm/wtmpx. Any date changes (using date with an argument) are also written to /var/adm/wtmpx. Reboots and shutdowns using acctwtmp are also recorded in /var/adm/wtmpx.

6. When a process ends, the kernel writes one record per process, using acct.h format, in the /var/adm/pacct file.

   Every hour, cron executes the ckpacct program to check the size of /var/adm/pacct. If the file grows past 500 blocks (default), the turnacct switch is executed. (The program moves the pacct file and creates a new one.) The advantage of having several smaller pacct files becomes apparent when trying to restart runacct if a failure occurs when processing these records.

7. runacct is executed by cron each night. runacct processes the accounting files: /var/adm/pacctn, /var/adm/wtmpx, /var/adm/fee, and /var/adm/acct/nite/disktacct, to produce command summaries and usage summaries by login.

8. The /usr/lib/acct/prdaily program is executed on a daily basis by runacct to write the daily accounting information collected by runacct (in ASCII format) in /var/adm/acct/sum/rprt.MMDD.

9. The monacct program should be executed on a monthly basis (or at intervals determined by you, such as the end of every fiscal period). The monacct program creates a report based on data stored in the sum directory that has been updated daily by runacct. After creating the report, monacct "cleans up" the sum directory to prepare the directory's files for the new runacct data.

What Happens if the System Shuts Down

If the system is shut down using shutdown, the shutacct program is executed automatically. The shutacct program writes a reason record into /var/adm/wtmpx and turns off process accounting.