man uakpacct
NAME
uakpacct - Filtered reporting of pacct* | Spacct* | nqacct* files
SYNOPSIS
uakpacct -options
DESCRIPTION
The uakpacct command provides a formatted dump of UNIX accounting files with vari-
ous filtering options to select specific information. Filtering options include:
by userid or group;
by command name;
by tty name (in hex);
by pid, ppi, or job id (on supported platforms);
by duration;
by cpu, block rw, or character io used;
by cpu vs. elapsed threshhold rates;
by maximum average memory;
by minor or major faults or swaps (Linux);
by accounting flag or termination signal;
by start or end time and date.
The uakpacct command is similar to the UNIX acctcom command (and others), but with
enhanced filtering and with source available for customization.
Many people consider the UNIX accounting files as useful only for resource account-
ing information (e.g., chargeback). However, when you consider that there are
entries for any process termination including start time, elapse time, resource
consumption, SUID execution, and abnormal termination the accounting files can be
an excellent tool for problem determination.
OPTIONS (general)
-file file(s)
Files to report from, defaults to /var/account/pacct for Linux. Delimit
multiple filenames with a space (in quotes) or a comma.
-binary binary-output-file
-output report-output-file
-quiet
Quiet option (no headers displayed).
-verbose
Verbose option.
-s_username
Summarize by username.
-s_group
Summarize by group and username.
-s_command
Summarize by command, group, and username.
OPTIONS (reporting)
The default report format is -short. There are several pre-defined formats or
-report can be used to select which fields to display.
-short
Produce short report, same as "-r short".
Fields includ: user, command, flag, exit, cpu.
Both start/end time is display as "-r human".
-mgmt
Identical to -short but includes "-r rate -R 1" to report processes which
consume greater than 1% of CPU over their elapsed time.
-long
Product long report, same as "-r long".
Additional fields include: group, tty, ucpu, scpu, ela, cio, blo, mem,
date, time, -hum, -cpu.
-event
Event report, same as "-r event". Writes two lines per record with a hex
record sequence number. First record has start time and second has end
time. Output can be sorted for an approximate event log. However, because
the start time has resolution only to one second, sorting is inaccurate
unless record order is maintained on matching times (file is originally
ordered by process end).
-length length
Specify length of user and group names. Defaults as 8 characters, if 0 is
specified it will float longer than 8. When used with summary reporting 0
floats all fields with no added white space.
-lookup
Do lookup gid->group.
By default group is display as gid which is faster.
+lookup
Do not lookup uid->userid.
By default userid is looked up, this option is faster.
-blanks
Use blanks with repeated date, user, or group.
This makes a report more readable and is the default for -short.
+blanks
Do not blank repeated date, user, or group.
This makes a report more parsable and is the default for -long.
-FS characters
Specify report field separators.
By default -short uses a space and -long uses a colon.
Three characters can be specified for fields, time, and date.
Time defaults to colon and date defaults to slash.
Time will default to period if colon is specfied for fields.
Date will default to dash if slash is specified for fields.
-report field[,field...]
Specify report fields.
Use "uakpacct -v -r?" for current list of field.
Single fields in order of display:
seq :event sequence number
etime :event time
human :end and start date and time
date :start date
time :start time
start :start date and time
end :end time
user :username or uid
group :group or gid
jid|job :jobid or jid (Cray)
apid :applicatoin id (Cray X1)
pid :pid (Cray|Linux v3)
ppid :ppid (Cray|Linux v3)
tty :terminal id (hex)
command :command executed
flag :exit flags
signal|exit :signal (negative) or exit code
wlm :wlm class (AIX)
WLM|key :wlm key (hex, AIX)
ucpu :user cpu time
scpu :system cpu time
cpu :total cpu time
elapse :elapsed time
rate :cpu/elapsed percentage
minflt :minor faults (Linux)
majflt :major faults (Linux)
swaps :swaps (Linux)
chario|cio :character IO
blockrw|brw :block read/writes
memory :average memory
himem :high memory (Cray)
In addition to individual report fields, report types or multi-field aliases can be
used. When a report type is specified it will null any existing field specifica-
tions.
General reports and multiple fields:
short :default short report
mgmt :report with -Rate 1
long :long report
event :event report
80 :archaic report format (old -80)
none :clear all fields
umk :long with Unicos/mk (Cray T3E) fields
unicos :long with Unicos (Cray) fields
ids :adds user, command, flag, signal
Memory :adds minflt, majflt, swaps (Linux)
stats :add ucpu, scpu, elapse, cio, brw, memory
OPTIONS (filtering)
The following options can be used to filter which records are display.
-user user|uid[,user|uid...]
To select user(s) to report.
+user user|uid[,user|uid...]
To exclude user(s).
-group group|gid[,group|gid...]
To select group(s) to report.
+group group|gid[,group|gid...]
To exclude group(s).
-command command[,command...]
To select command(s) to report.
Only eight characters of commands are preserved in acct files on many plat-
forms. Wildcards are permitted when specifying command names, you may need
to specify with an escape depending on your shell.
+command command[,command...]
To exclude command(s).
-tty tty[,tty...]
To select tty name(s) to report (in hex).
Each sepecified tty should be 8 hex digits or wildcarded. A tty of -1
(ffffffff) is used by most platforms for non-terminal processes.
+tty tty[,tty...]
To exclude tty(s).
-jobid jobid[,jobid...]
Select records matching jobid (Cray).
-pid pid[,pid...]
Select records matchin pid or ppid where supported (Cray|Linux v3).
-n
Specify minimum number of commands, implies -s_user.
-elapsed time
Elapsed time to report.
Default is seconds, can specify as N.Nm(inute), N.Nh(our), N.Nd(ay).
-cpUtime
User cpu time to report (default in seconds).
-cpu time
Total cpu time to report (default in seconds).
-CPU time
System cpu time to report (default in seconds).
-cio chario
Character IO to report.
Can specify as N.Nk|K|m|M|g|G, where k=1000, K=1024 (etc.).
-Rate pct
To specify a threshhold rate of CPU usage.
The cpu seconds are divided by the elapsed seconds to determine the rate.
This filter is useful for identifying processes which consumed more than
their fair share of CPU resources. Under -mgmt the default value for -Rate
is 1% of cpu resources.
-brw blocks
Blocks read/written to report, specified as with -cio.
-memory K-bytes
Average memory to report.
Default as K-bytes, can specify N.Nm|M|g|G.
Note, some platforms do not represent average memory. For example, both AIX
and Irix only increment the value for system not user cpu time. In the fol-
lowing examples "usemem -b 100 -i 1 -max 110 [-r]" was used:
aix: uakpacct -c usemem -r none,ucp,scp,ela,mem UserCPU:SYS_CPU:Elapsed:
Avg.Mem: -------:-------:-------: -------:
0.8s: 0.2s: 27.1s: 93.19M:
0.0s: 0.3s: 26.3s: 55.66M:
Actual average memory used was 105m, with "usemem -r" it is closer due to a
higher proportion of user vs. system CPU time, but it is still significantly
off. This is a "feature" not a "bug".
-minflt faults
Minor faults (Linux) to report, spacified as with -cio.
-majflt faults
Major faults (Linux) to report, spacified as with -cio.
-swaps faults
Swaps (Linux) to report, spacified as with -cio.
-aflag flag
Record flag (octal mask) to report.
Reference system /usr/include/sys/acct.h file, typical:
AFORK 0001 has executed fork, but no exec
ASU 0002 used super-user privileges
ACOMPAT 0004 used compatibility mode
ACORE 0010 dumped core
AXSIG 0020 killed by a signal
ACCTF 0300 record type: 00 = acct
-signal signal
Signal termination to report.
This masks off the lower 8 bits of ac_stat (see acct.h) for comparison. See
signal.h for a definition of signal meanings. Where supported, AXSIG must
be set in ac_flag.
+signal signal
Signal terminate to exclude.
Use "+signal 0" to report all processes terminated by a signal.
-exit exitcode
Exit code (masks off 8 bits) to report.
Where supported, AXSIG must NOT be set in ac_flag.
+exit exitcode
Exit code (non-zero) to exclude.
By default will include signal terminations, also use "-signal 0" to exclude
signal terminations.
-sa [date.]time | -sa [date@]time
Select records starting after time. Date defaults to first date in account-
ing file. Format can be:
yyyymmdd.hhmmss
yymmdd.hhmmss
mmdd.hhmmss
dd.hhmmss
hhmm
hh
mm/dd/yyyy.hh:mm:ss
yyyy-mm-ss.hh:mm:ss
-days
-hh:mm:ss
If hours, minutes, or seconds are omitted defaults to 0.
A negative value indicates before current time, for -days will default
hours, minutes and seconds as 0. Parsing is same as with the ua_date com-
mand.
-sb [date.]time | -sb [date@]time
Select records starting before time. Date defaults to first date in
accounting file.
See -sa for format.
If hours, minutes, or seconds are omitted defaults to 0.
Use "-sa 08:00 +sb 08:15" to select all processes starting between 08:00 and
08:15.
-ea [date.]time | -ea [date@]time
Select records ending after time. Date defaults to first date in accounting
file.
See -sa for format.
If hours, minutes, or seconds are omitted defaults to 0.
-eb [date.]time | -eb [date@]time
Select records ending before time. Date defaults to first date in account-
ing file.
See -sa for format.
If hours, minutes, or seconds are omitted defaults to 23:59:59 (respec-
tively).
-at time
Select records starting or ending within the specified start|end dates and
times. This option is used to try and identify child processes with parents
since accounting records for most flavors of UNIX and Linux prior to v3
accounting do not maintain pid and ppid information. Only -sa and -eb can
be used with -at.
-or
Typically different filters are logically and-ed, this changes behaviour to
a logical or-ing. In other words, if any non-time filter successfully
matches the record is selected. The -or is applied to time filters but only
against time filters. With other filters such as:
"-or -uid 7167 -gid 15" if either filter matches the record is selected.
EXAMPLES
Default display, selecting a userid and start time:
iceberg2: date; uname -a
Sun Nov 26 07:21:51 AST 2006
AIX iceberg2 2 5 00203FDA4C00
iceberg2: uakpacct -u kcarlson -sa 7:21
#End_Date/Time_Start_hh:mm:ss_Userid___Command__Flg_Exit__CPU
11/26_07:21:51_______07:21:51_kcarlson_date_____000____0__0.0s
11/26_07:21:51_______07:21:51__________uname____000____0__0.0s
A -mgmt management style report requesting all processes which consumed more than
15 minutes (900 seconds) of CPU from the entire day of pacct* files:
glacier: uakpacct -cpu 900 -f "`ls /var/adm/pacct*`" -mgmt
#End_Date/Time_Start_hh:mm:ss_Userid_Command_CPU_Sec_Elapsed_Rate
09/04_10:42:03_______08:45:06_jnblb__oracle___1026.9__7017.0_14.6
09/04_12:25:04_09/03_12:00:32_sxfinp_oracle___4428.2_87872.0__5.0
From the example above, we might determine what jnblb was doing in Oracle. Since
children tend to start or end at the same time as their parents, by filtering for
processes within 30 seconds we can get a clue as to what was being executed under
Oracle:
glacier: uakpacct -f /var/adm/pacct6 -m -r 0 \
-eb 10:42:03 -sa 08:45:06 -at 30
#End_Date/Time_Start_hh:mm:ss_Userid_Command_CPU_Sec_Elapsed_Rate
09/04_10:42:03_______08:45:06_jnblb__oracle___1026.9__7017.0_14.6
09/04_10:42:04_______08:45:05_jnblb__RPBVLDT_____3.1__7019.0__0.0
09/04_10:42:05_______08:45:00_jnblb__G0.19970____0.2__7025.0
09/04_10:42:05_______08:45:00_jnblb__ua_gur_r____0.0__7025.0
09/04_10:42:05_______08:44:57_jnblb__ksh_________0.3__7028.0
The user was executing RPBVLDT program which may need modifications to more effi-
ciently execute. Note, for the management style report it was necessary to over-
ride the default "-rate 1" to find this.
Show all root processes killed via a signal, also changing the time display to just
end time:
iceberg2: uakpacct +sig 0 +u root -r -human,+end
Ended:Userid :Command :Flg:Exit: CPU :
000101:adm :cat :020: -13: 0.0s:
041809:simonson:ksh :020: -24: 0.0s:
041809: :rsync :020: -24: 745.2s:
041810: :rsync :021: -24: 1.0s:
041809: :csh :020: -24: 0.0s:
041810: :rsync :021: -24:1115.8s:
065055:carnsoil:grep :020: -2: 0.0s:
Using sys/signal.h, simonson received SIGXCPU, carnsoil generated a SIGINT, and adm
generated a SIGPIPE.
Requesting only specific report fields and a particular command:
iceberg2: uakpacct -c sleep \
-r none,user,command,start,elapsed
# Date Time :Userid :Command :Elapsed:
20061126@013049:sysmon :sleep : 15.0s:
20061126@013113:sysmon :sleep : 15.0s:
20061126@041810:simonson:sleep : 15.0s:
20061126@052403:carnsoil:sleep : 15.0s:
Produce a summary report by user:
n82: uakpacct -f pacct-20110922 -s_user
#User Count ElaHours UserCpu SysCpu cpuHours
root 16702 0.88 0.00 0.00 0.00
martinso 1189 212.38 142.97 5.41 148.37
sysmon 3 0.00 0.00 0.00 0.00
#Total 17894 213.26 142.97 5.41 148.37
RESTRICTIONS / NOTES
uakpacct has been tested under a variety of UNIX and Linux implementations.
uakpacct utilizes the cci command parser utilized by non-UNIX operating systems
instead of the traditional UNIX getopt() parsing. Actions and options have been
defined to "look like" UNIX style options, but can be spelled out or abbreviated.
For example -u is the same as -user. In some cases options must be fully spelled
out. Because of this, multiple options must be space separated and the hyphen is
part of the option name.
Macintosh OSX acct structure does not have ac_brw or ac_stat. The lack of ac_stat
means no exit status is available.
Linux has at least three pacct file formats. The v2 and v3 are newer and identi-
fied by ac_version in the record structure. Older Linux/GNU, like SLES 9.3, are
referred to as v0. With no ac_version to test, uakpacct checks first record for a
0 ac_version which is really the uid in v0. Since first record is typically acc-
ton, this works. Alternative is to ensure uakpacct is compiled with an older (v0)
acct.h. With the test above a v3 compiled uakpacct can read v0 or v2 files. As of
v3 Linux kernel is still not writing IO values to pacct records.
Summary reporting (-s_user, -s_group, -s_command, -n) honors the -cpU, -cpu, -CPU,
and -elapsed minimums as totals. Other filters are applied to individual pro-
cesses. If -length is specified it applies to all values and 0 makes all float.
Because the accounting information is very useful for problem isolation, the UNIX
default behaviour of disposing of the pacct*->Spacct* files each night is not rec-
ommended. For Digital UNIX the following change will retain Spacct* files for a
week which is typically long enough to make a weekly backup cycle:
nugget: diff /usr/sbin/runacct /usr/local/sbin/runacct_ua
1a2,3
> #961209 kac cp sbin/runacct /usr/local/sbin/runacct_ua
> #961209 kac use "find -mtime +8" for rm of Spacct* files
400c402,404
< rm -f ${_adm}/Spacct*.${_date}
---
> # rm -f ${_adm}/Spacct*.${_date}
> find ${_adm}/Spacct*.* -mtime +8 -exec rm -f {} \;
> #
427,440d430
ACKNOWLEDGEMENTS
Written at the University of Alaska. Ongoing maintenance via SourceForge by Denali
Sun Consulting.
Suggestions or bug reports can be directed to denalisun907@gmail.com.
RELATED INFORMATION
Files: sys/acct.h(4).
Commands:
acctcom(1), uaklogin(1).
Unicos:
csa(8).
IRIX: sat_interpret(1M).
DU: audit_tool(8).
Linux: /usr/sbin/dump-acct --help