man uakpacct
NAME
uakpacct - Filtered reporting of pacct* | Spacct* | nqacct* files
SYNOPSIS
uakpacct -options
DESCRIPTION
The uakpacct command provides a formatted dump of UNIX accounting
files with various filtering options to select specific information.
Filtering options include:
by userid or group;
by command name;
by tty name (in hex);
by pid, ppi, or job id (on supported platforms);
by duration;
by cpu, block rw, or character io used;
by cpu vs. elapsed threshhold rates;
by maximum average memory;
by minor or major faults or swaps (Linux);
by accounting flag or termination signal;
by start or end time and date.
The uakpacct command is similar to the UNIX acctcom command (and
others), but with enhanced filtering and with source available for
customization.
Many people consider the UNIX accounting files as useful only for
resource accounting information (e.g., chargeback). However, when
you consider that there are entries for any process termination
including start time, elapse time, resource consumption, SUID execu-
tion, and abnormal termination the accounting files can be an
excellent tool for problem isolation and determination.
OPTIONS (general)
-file file(s)
Files to report from, defaults to /var/adm/pacct on many
platforms. Delimit multiple filenames with a space (in
quotes) or a comma.
-binary binary-output-file
-output report-output-file
-quiet Quiet option (no headers displayed).
-verbose
Verbose option.
OPTIONS (reporting)
The default report format is -short. There are several pre-defined
formats or -report can be used to select which fields to display.
-short Produce short report, same as '-r short'.
Fields includ: user, command, flag, exit, cpu.
Both start/end time is display as '-r human'.
-mgmt Identical to -short but includes '-r rate -R 1' to report
processes which consume greater than 1% of CPU over their
elapsed time.
-long Product long report, same as '-r long'.
Additional fields include: group, tty, ucpu, scpu, ela, cio,
blo, mem, date, time, -hum, -cpu.
-event Event report, same as .-r event'. Writes two lines per
record with a hex record sequence number. First record has
start time and second has end time. Output can be sorted for
an approximate event log. However, because the start time
has resolution only to one second, sorting is inaccurate
unless record order is maintained on matching times (file is
originally ordered by process end).
-lookup
Do lookup gid->group.
By default group is display as gid which is faster.
+lookup
Do not lookup uid->userid.
By default userid is looked up, this option is faster.
-blanks
Use blanks with repeated date, user, or group.
This makes a report more readable and is the default for
-short.
+blanks
Do not blank repeated date, user, or group.
This makes a report more parsable and is the default for
-long.
-FS Specify report field separators.
By default -short uses a space and -long uses a colon.
Three characters can be specified for fields, time, and
date.
Time defaults to colon and date defaults to slash.
Time will default to period if colon is specfied for fields.
Date will default to dash if slash is specified for fields.
-report field[,field...]
Specify report fields.
Use 'uakpacct -v -r?' for current list of field.
Single fields in order of display:
seq :event sequence number
etime :event time
human :end and start date and time
date :start date
time :start time
start :start date and time
end :end time
user :username or uid
group :group or gid
jid|job :jobid or jid (Cray)
apid :applicatoin id (Cray X1)
pid :pid (Cray)
ppid :ppid (Cray)
tty :terminal id (hex)
command :command executed
flag :exit flags
signal|exit :signal (negative) or exit code
wlm :wlm class (AIX)
WLM|key :wlm key (hex, AIX)
ucpu :user cpu time
scpu :system cpu time
cpu :total cpu time
elapse :elapsed time
rate :cpu/elapsed percentage
minflt :minor faults (Linux)
majflt :major faults (Linux)
swaps :swaps (Linux)
chario|cio :character IO
blockrw|brw :block read/writes
memory :average memory
himem :high memory (Cray)
In addition to individual report fields, report types or multi-field
aliases can be used. When a report type is specified it will null
any existing field specifications.
General reports and multiple fields:
short :default short report
mgmt :report with -Rate 1
long :long report
event :event report
80 :archaic report format (old -80)
none :clear all fields
umk :long with Unicos/mk (Cray T3E) fields
unicos :long with Unicos (Cray) fields
ids :adds user, command, flag, signal
Memory :adds minflt, majflt, swaps (Linux)
stats :add ucpu, scpu, elapse, cio, brw, memory
OPTIONS (filtering)
The following options can be used to filter which records are dis-
play.
-user user|uid[,user|uid...]
To select user(s) to report.
+user user|uid[,user|uid...]
To exclude user(s).
-group group|gid[,group|gid...]
To select group(s) to report.
+group group|gid[,group|gid...]
To exclude group(s).
-command command[,command...]
To select command(s) to report.
Only eight characters of commands are preserved in acct files
on most platforms. Wildcards are permitted when specifying
command names, you may need to specify with an escape depend-
ing on your shell.
+command command[,command...]
To exclude command(s).
-tty tty[,tty...]
To select tty name(s) to report (in hex).
Each sepecified tty should be 8 hex digits or wildcarded. A
tty of -1 (ffffffff) is used by most platforms for non-termi-
nal processes.
+tty tty[,tty...]
To exclude tty(s).
-jobid jobid[,jobid...]
Select records matching jobid (Cray).
-pid pid[,pid...]
Select records matchin pid or ppid where supported (Cray).
-elapsed time
Elapsed time to report.
Default is seconds, can specify as N.Nm(inute), N.Nh(our),
N.Nd(ay).
-cpu time
Total cpu time to report (default in seconds).
-CPU time
System cpu time to report (default in seconds).
-cio chario
Character IO to report.
Can specify as N.Nk|K|m|M|g|G, where k=1000, K=1024 (etc.).
-Rate pct
To specify a threshhold rate of CPU usage.
The cpu seconds are divided by the elapsed seconds to deter-
mine the rate. This filter is useful for identifying pro-
cesses which consumed more than their fair share of CPU
resources. Under -mgmt the default value for -Rate is 1% of
cpu resources.
-brw blocks
Blocks read/written to report, specified as with -cio.
-memory K-bytes
Average memory to report.
Default as K-bytes, can specify N.Nm|M|g|G.
Note, some platforms do not represent average memory. For
example, both AIX and Irix only increment the value for sys-
tem not user cpu time. In the following examples 'usemem -b
100 -i 1 -max 110 [-r]' was used:
aix: uakpacct -c usemem -r none,ucp,scp,ela,mem User-
CPU:SYS_CPU:Elapsed: Avg.Mem: -------:-------:-------:
-------:
0.8s: 0.2s: 27.1s: 93.19M:
0.0s: 0.3s: 26.3s: 55.66M:
Actual average memory used was 105m, with 'usemem -r' it is
closer due to a higher proportion of user vs. system CPU
time, but it is still significantly off. This is a "feature"
not a "bug".
-minflt faults
Minor faults (Linux) to report, spacified as with -cio.
-majflt faults
Major faults (Linux) to report, spacified as with -cio.
-swaps faults
Swaps (Linux) to report, spacified as with -cio.
-aflag flag
Record flag (octal mask) to report.
Reference system /usr/include/sys/acct.h file, typical:
AFORK 0001 has executed fork, but no exec
ASU 0002 used super-user privileges
ACOMPAT 0004 used compatibility mode
ACORE 0010 dumped core
AXSIG 0020 killed by a signal
ACCTF 0300 record type: 00 = acct
-signal signal
Signal termination to report.
This masks off the lower 8 bits of ac_stat (see acct.h) for
comparison. See signal.h for a definition of signal mean-
ings. Where supported, AXSIG must be set in ac_flag.
+signal signal
Signal terminate to exclude.
Use '+signal 0' to report all processes terminated by a sig-
nal.
-exit exitcode
Exit code (masks off 8 bits) to report.
Where supported, AXSIG must NOT be set in ac_flag.
+exit exitcode
Exit code (non-zero) to exclude.
By default will include signal terminations, also use '-sig-
nal 0' to exclude signal terminations.
-sa hh[:mm[:ss]] | -time hh[:mm[:ss]]
Select records starting after time.
A negative time with no date provided specifies minutes
before current time.
-sb hh[:mm[:ss]] | +time hh[:mm[:ss]]
Select records starting before time.
Use '-sa 08:00 +sb 08:15' to select all processes starting
between 08:00 and 08:15.
-eb hh[:mm[:ss]] | -Time hh[:mm[:ss]]
Select records ending before time.
-ea hh[:mm[:ss]] | +Time hh[:mm[:ss]]
Select records ending after time.
-date [mm/]dd[/yy]
Select records on|after start date.
If a start date is not provided it will default to the date
of the first record read from the first accounting file.
-Date [mm/]dd[/yy]
Select records ending on|before date.
If an end date is not provided it will default to the start
date. Start time defaults to 00:00:00 and end time defaults
to 23:59:59.
+date [mm/]dd[/yy]
Select records starting before|on date.
+Date [mm/]dd[/yy]
Select records ending before|on date.
-at seconds
Select records starting or ending within the specified
start|end dates and times. This option is used to try and
identify child processes with parents since accounting
records for most flavors of UNIX do not maintain pid and ppid
information. Only -t (-sa), -T (-eb), -d, -D can be used
with -at, the '+' time filters will fail.
-or Typically different filters are logically and'd, this
changes behaviour to a logical or'ing. In other words, if
any non-time filter successfully matches the record is
selected. The '-or' is applied to time filters but only
against time filters. With other filters such as:
'-or -uid 7167 -gid 15' if either filter matches the record
is selected.
EXAMPLES
Default display, selecting a userid and start time:
iceberg2: date; uname -a
Sun Nov 26 07:21:51 AST 2006
AIX iceberg2 2 5 00203FDA4C00
iceberg2: uakpacct -u kcarlson -sa 7:21
#End_Date/Time_Start_hh:mm:ss_Userid___Command__Flg_Exit__CPU
11/26_07:21:51_______07:21:51_kcarlson_date_____000____0__0.0s
11/26_07:21:51_______07:21:51__________uname____000____0__0.0s
A -mgmt management style report requesting all processes which con-
sumed more than 15 minutes (900 seconds) of CPU from the entire day
of pacct* files:
glacier: uakpacct -cpu 900 -f "'ls /var/adm/pacct*'" -mgmt
#End_Date/Time_Start_hh:mm:ss_Userid_Command_CPU_Sec_Elapsed_Rate
09/04_10:42:03_______08:45:06_jnblb__oracle___1026.9__7017.0_14.6
09/04_12:25:04_09/03_12:00:32_sxfinp_oracle___4428.2_87872.0__5.0
From the example above, we might determine what jnblb was doing in
Oracle. Since children tend to start or end at the same time as
their parents, by filtering for processes within 30 seconds we can
get a clue as to what was being executed under Oracle:
glacier: uakpacct -f /var/adm/pacct6 -m -r 0 \
-eb 10:42:03 -sa 08:45:06 -at 30
#End_Date/Time_Start_hh:mm:ss_Userid_Command_CPU_Sec_Elapsed_Rate
09/04_10:42:03_______08:45:06_jnblb__oracle___1026.9__7017.0_14.6
09/04_10:42:04_______08:45:05_jnblb__RPBVLDT_____3.1__7019.0__0.0
09/04_10:42:05_______08:45:00_jnblb__G0.19970____0.2__7025.0
09/04_10:42:05_______08:45:00_jnblb__ua_gur_r____0.0__7025.0
09/04_10:42:05_______08:44:57_jnblb__ksh_________0.3__7028.0
The user was executing RPBVLDT program which may need modifications
to more efficiently execute. Note, for the management style report
it was necessary to over-ride the default '-rate 1' to find this.
Show all root processes killed via a signal, also changing the time
display to just end time:
iceberg2: uakpacct +sig 0 +u root -r -human,+end
Ended:Userid :Command :Flg:Exit: CPU :
000101:adm :cat :020: -13: 0.0s:
041809:simonson:ksh :020: -24: 0.0s:
041809: :rsync :020: -24: 745.2s:
041810: :rsync :021: -24: 1.0s:
041809: :csh :020: -24: 0.0s:
041810: :rsync :021: -24:1115.8s:
065055:carnsoil:grep :020: -2: 0.0s:
Using sys/signal.h, simonson received SIGXCPU, carnsoil generated a
SIGINT, and adm generated a SIGPIPE.
Requesting only specific report fields and a particular command:
iceberg2: uakpacct -c sleep \
-r none,user,command,start,elapsed
# Date Time :Userid :Command :Elapsed:
20061126@013049:sysmon :sleep : 15.0s:
20061126@013113:sysmon :sleep : 15.0s:
20061126@041810:simonson:sleep : 15.0s:
20061126@052403:carnsoil:sleep : 15.0s:
RESTRICTIONS / NOTES
uakpacct has been tested under a variety of UNIX and Linux implemen-
tations. Suggestions for enhancements or bug reports can be
directed to fnkac@uaf.edu.
uakpacct utilizes the cci command parser utilized by non-UNIX oper-
ating systems instead of the traditional UNIX getopt() parsing.
Actions and options have been defined to "look like" UNIX style
options, but can be spelled out or abbreviated. For example '-u' is
the same as '-user'. In some cases options must be fully spelled
out. Because of this, multiple options must be space separated and
the hyphen is part of the option name.
Macintosh OSX acct structure does not have ac_brw or ac_stat. The
lack of ac_stat means no exit status is available.
Because the accounting information is very useful for problem isola-
tion, the UNIX default behaviour of disposing of the pacct*->Spacct*
files each night is not recommended. For Digital UNIX the following
change will retain Spacct* files for a week which is typically long
enough to make a site's weekly backup cycle:
nugget: diff /usr/sbin/runacct /usr/local/sbin/runacct_ua
1a2,3
> #961209 kac cp sbin/runacct /usr/local/sbin/runacct_ua
> #961209 kac use 'find -mtime +8' for rm of Spacct* files
400c402,404
< rm -f ${_adm}/Spacct*.${_date}
---
> # rm -f ${_adm}/Spacct*.${_date}
> find ${_adm}/Spacct*.* -mtime +8 -exec rm -f {} \;
> #
427,440d430
ACKNOWLEDGEMENTS
The uakpacct utility was written at the University of Alaska.
RELATED INFORMATION
Files: sys/acct.h(4).
Commands:
acctcom(1), uaklogin(1).
Unicos:
csa(8).
IRIX: sat_interpret(1M).
DU: audit_tool(8).
Linux: /usr/sbin/dump-acct --help