What is System Accounting?

System accounting software in the Solaris OS is a set of programs that enables you to collect and record data about user connect time, CPU time charged to processes, and disk usage. Once you collect this data, you can generate reports and charge fees for system usage.

You can use system accounting on a daily or monthly basis. Or, you can tack disk usage per user.

You can use the accounting programs to perform these tasks:

After you set up the system accounting programs, they run mostly on their own.

How System Accounting Works

Automatic accounting is set up by first putting the accounting startup script into root's crontab file. The accounting startup script can then be started automatically by the cron command.

The following overview describes the system accounting process.

  1. Between system startup and shutdown, raw data about system use (such as user logins, running processes, and data storage) are collected in accounting files.

  2. Periodically (usually once a day), the /usr/lib/acct/runacct script processes the various accounting files and produces both cumulative summary files and daily accounting reports. Then, the /usr/lib/acct/prdaily script prints the daily reports.

    For more information about the runacct script, see runacct Script.

  3. Monthly, you can process and print the cumulative runacct summary files by executing the monacct script. The summary reports produced by the monacct script provide an efficient means for billing users on a monthly or other fiscal basis.

System Accounting Components

The system accounting software provides C language programs and shell scripts that organize data into summary files and reports. These programs reside in the /usr/lib/acct directory. The accounting reports reside in the /var/adm/acct directory.

Daily accounting can help you perform four types of auditing:

  • Connect accounting

  • Process accounting

  • Disk accounting

  • Fee calculations

Connect Accounting

Connect accounting enables you to determine the following information:

  • The length of time a user was logged in

  • How the tty lines are being used

  • The number of reboots on your system

  • How many times the accounting software was turned off and on

To provide this information on connect sessions, the system stores the following data

  • Record of time adjustments

  • Boot times

  • Number of times the accounting software was turned off and on

  • Changes in run levels

  • The creation of user processes (login processes and init processes)

  • The terminations of processes

These records are produced from the output of system programs such as date, init, login, ttymon, and acctwtmp. They are stored in the /var/adm/wtmpx file. Entries in the wtmpx file can contain the following information:

  • Login name

  • Device name

  • Process ID

  • Entry type

  • Time stamp that denotes when the entry was made

Process Accounting

Process accounting enables you to keep track of the following data about each process that runs on your system:

  • User IDs and group IDs of users using the process

  • Beginning times and elapsed times of the process

  • CPU time for the process (user time and system time)

  • Amount of memory used by the process

  • Commands run by the process

  • The tty that controls the process

Every time a process terminates, the exit program collects this information and writes it to the /var/adm/pacct file.

Disk Accounting

Disk accounting enables you to gather and format the following data about the files each user has on disks:

  • User name and user ID of the user

  • Number of blocks that are used by the user's files

This data is collected by the /usr/lib/acct/dodisk shell script at intervals that are determined by the entry you add to the /var/spool/cron/crontabs/root file. In turn, the dodisk script invokes the acctdisk and acctdusg commands. These commands gather disk usage by login name.

Caution

Information gathered by running the dodisk script is stored in the /var/adm/acct/nite/disktacct file. This information is overwritten the next time the dodisk script is run. Therefore, avoid running the dodisk script twice in the same day.

The acctdusg command might overcharge for files that are written randomly, which can create holes in the files. This problem occurs because the acctdusg command does not read the indirect blocks of a file when determining the file size. Rather, the acctdusg command determines the file size by checking the current file size value in the file's inode.

Fee Calculations

The chargefee utility stores charges for special services that are provided to a user in the /var/adm/fee file. A special service, for example, is file restoration. Each entry in the file consists of a user login name, user ID, and the fee. This file is checked by the runacct script every day, and new entries are merged into the accounting records. For instructions on running the chargefee script to bill users, see How to Bill Users.

How Daily Accounting Works

Here is a step-by-step summary of how daily accounting works:

  1. When the system is switched into multiuser mode, the /usr/lib/acct/startup program is executed. The startup program executes several other programs that invoke daily accounting.

  2. The acctwtmp program adds a “boot” record to the /var/adm/wtmpx file. In this record, the system name is shown as the user name in the wtmpx record. The following table summarizes how the raw accounting data is gathered and where it is stored.

    File in /var/adm

    Information Stored

    Written By

    Format

    wtmpx

    Connect sessions

    login, init

    Binary

    Changes

    date

    Binary

    Reboots

    acctwtmp

    Binary

    Shutdowns

    shutacct

    Binary

    pacctn

    Processes

    Kernel (when the process ends)

    Binary

    turnacct switch (which creates a new file when the old file reaches 500 blocks)

    Binary

    fee

    Special charges

    chargefee

    ASCII

    acct/nite/disktacct

    Disk space used

    dodisk

    Binary

  3. The turnacct script, invoked with the on option, begins process accounting. Specifically, the turnacct script executes the accton program with the /var/adm/pacct argument.

  4. The remove shell script “cleans up” the saved pacct and wtmpx files that are left in the sum directory by the runacct script.

  5. The login and init programs record connect sessions by writing records into the /var/adm/wtmpx file. Date changes (using date with an argument) are also written to the /var/adm/wtmpx file. Reboots and shutdowns using the acctwtmp command are also recorded in the /var/adm/wtmpx file.

  6. When a process ends, the kernel writes one record per process, using the acct.h format, in the /var/adm/pacct file.

    Every hour, the cron command executes the ckpacct script to check the size of the /var/adm/pacct file. If the file grows beyond 500 blocks (default), the turnacct switch command is executed. (The program moves the pacct file to the pacct n file and creates a new file.) The advantage of having several smaller pacct files becomes apparent when you try to restart the runacct script if a failure occurs when processing these records.

  7. The runacct script is executed by the cron command each night. The runacct script processes the accounting files to produce command summaries and usage summaries by user name. These accounting files are processed: /var/adm/pacct n, /var/adm/wtmpx, /var/adm/fee, and /var/adm/acct/nite/disktacct.

  8. The /usr/lib/acct/prdaily script is executed on a daily basis by the runacct script to write the daily accounting information in the /var/adm/acct/sum/rprt MMDD files.

  9. The monacct script should be executed on a monthly basis (or at intervals you determine, such as at the end of every fiscal period). The monacct script creates a report that is based on data stored in the sum directory that has been updated daily by the runacct script. After creating the report, the monacct script “cleans up” the sum directory to prepare the directory's files for the new runacct data.

What Happens if the System Shuts Down

If the system is shut down by using the shutdown command, the shutacct script is executed automatically. The shutacct script writes a reason record into the /var/adm/wtmpx file and turns off process accounting.