Using system accounting

How accounting works

The following is a step-by-step summary of how UNIX system accounting works:

When the UNIX system is switched into multiuser state, the /usr/lib/acct/startup program is executed. The startup program executes several other programs that invoke accounting: acctwtmp, turnacct, and remove.

acctwtmp adds a ``boot'' record to /var/adm/wtmp. In this record, the system name is shown as the login name in the wtmp record. ``Raw Accounting Data'' summarizes how the raw accounting data is gathered and where it is stored.

turnacct, invoked with the on option, begins process accounting. Specifically, turnacct on executes the accton program with the argument /var/adm/pacct.

remove ``cleans up'' the saved pacct and wtmp files left in the sum directory by runacct.

File in /var/adm Information Written By Format

wtmp connect sessions login, init utmp.h

date changes date

reboots acctwtmp

shutdowns shutacct shell

pacct? processes kernel (when process ends) acct.h

turnacct switch creates new file when old one reaches 500 blocks

fee special charges chargefee

acct/nite/disktacct disk space used dodisk tacct.h

File in /var/adm	Information	Written By	Format
wtmp	connect sessions	login, init	utmp.h
	date changes	date
	reboots	acctwtmp
	shutdowns	shutacct shell
pacct?	processes	kernel (when process ends)	acct.h
		turnacct switch creates new file when old one reaches 500 blocks
fee	special charges	chargefee
acct/nite/disktacct	disk space used	dodisk	tacct.h

Raw Accounting Data

The login and init programs record connect sessions by writing records into /var/adm/wtmp. Any date changes (made by running date with an argument) are also written to /var/adm/wtmp. Reboots and shutdowns (via acctwtmp) are also recorded in /var/adm/wtmp.
When a process ends, the kernel writes one record per process, in the form of acct.h, in the /var/adm/pacct file.
Two programs track disk usage by login: acctdusg and diskusg. They are invoked by the shell script dodisk.
Every hour cron executes the ckpacct program to check the size of /var/adm/pacct. If the file grows past 500 blocks (default), turnacct switch is executed. (The turnacct switch program moves the pacct file and creates a new one.) The advantage of having several smaller pacct files becomes apparent when trying to restart runacct if a failure occurs when processing these records.
If the system is shut down using shutdown, the shutacct program is executed automatically. The shutacct program writes a reason record into /var/adm/wtmp and turns off process accounting.
If you provide services on a request basis (such as file restores), you can keep billing records by login by using the chargefee program. It allows you to add a record to /var/adm/fee each time a user incurs a charge. The next time runacct is executed, this new record is picked up and merged into the total accounting records.
runacct is executed via cron each night. It processes the accounting files /var/adm/pacct?, /var/adm/wtmp, /var/adm/fee, and /var/adm/acct/nite/disktacct to produce command summaries and usage summaries by login.
/usr/lib/acct/prdaily program is executed on a daily basis by runacct to write the daily accounting information collected by runacct (in ASCII format) in /var/adm/acct/sum/rprtMMDD.
The monacct program should be executed on a monthly basis (or at intervals determined by you, such as the end of every fiscal period). The monacct program creates a report based on data stored in the sum directory that has been updated daily by runacct. After creating the report, monacct ``cleans up'' the sum directory to prepare the directory's files for the new runacct data.