Managing process accounting on Linux

Managing process accounting on Linux

Process accounting is a technique of recording and summarizing instructions and processes. It’s an choice on Linux techniques, however you must allow it and use a specific command to view the main points collected. This put up covers the instructions concerned and provides some solutions on making the views much more helpful.

To begin, perceive that course of accounting is totally different than what you see when working the ps command. It exhibits particulars on instructions which have accomplished –- not these which are at the moment working. It additionally exhibits much more particulars than you’d see by your customers’ command historical past information and retains all of the collected knowledge in a single file on the system.

If you wish to activate the processing accounting, you must use a command like this:

$ sudo /usr/sbin/accton on
Turning on course of accounting, file set to the default '/var/log/account/pacct'.

On this technique, the file /var/log/account/pacct is the file by which the info will likely be saved. This file just isn’t a plain textual content file, so do not strive viewing it with extra or tail instructions. Instead, use the dump-acct command to view it as proven within the instance under. Anticipate a really broad and prolonged show that can wrap round in a standard terminal window until you widen it significantly or pipe output to the tail command.

$ sudo dump-acct /var/log/account/pacct | tail
grotty          |v3|     0.00|     0.00|     2.00|  1000|  1000| 12000.00|     0.00|  321103|  321101|     |       0|pts/1   |Fri Aug 14 13:26:07 2020
groff           |v3|     0.00|     0.00|     2.00|  1000|  1000|  6096.00|     0.00|  321101|  321095|     |       0|pts/1   |Fri Aug 14 13:26:07 2020
nroff           |v3|     0.00|     0.00|     4.00|  1000|  1000|  2608.00|     0.00|  321095|  321087|     |       0|pts/1   |Fri Aug 14 13:26:07 2020
man             |v3|     0.00|     0.00|     4.00|  1000|  1000| 10160.00|     0.00|  321096|  321087| F   |       0|pts/1   |Fri Aug 14 13:26:07 2020
pager           |v3|     0.00|     0.00|  2018.00|  1000|  1000|  8440.00|     0.00|  321097|  321087|     |       0|pts/1   |Fri Aug 14 13:26:07 2020
man             |v3|     2.00|     0.00|  2021.00|  1000|  1000| 10160.00|     0.00|  321087|  318116|     |       0|pts/1   |Fri Aug 14 13:26:07 2020
clear           |v3|     0.00|     0.00|     0.00|  1000|  1000|  2692.00|     0.00|  321104|  318116|     |       0|pts/1   |Fri Aug 14 13:26:30 2020
dump-acct       |v3|     2.00|     0.00|     2.00|  1000|  1000|  4252.00|     0.00|  321105|  318116|     |       0|pts/1   |Fri Aug 14 13:26:35 2020
tail            |v3|     0.00|     0.00|     2.00|  1000|  1000|  8116.00|     0.00|  321106|  318116|     |       0|pts/1   |Fri Aug 14 13:26:35 2020
clear           |v3|     0.00|     0.00|     0.00|  1000|  1000|  2692.00|     0.00|  321107|  318116|     |       0|pts/1   |Fri Aug 14 13:26:45 2020

Don’t be shocked if a number of the processes proven are unfamiliar. Some could have been run by instructions that you simply ran, quite than by you straight (e.g., groff and grotty within the output above). Many are system processes which are unbiased of person exercise.

To higher perceive what you are , it’s possible you’ll wish to add column headings as I’ve achieved with these instructions:

echo "Command         vers  runtime   systime   elapsed    UID    GID   mem_use     chars      PID     PPID  ?    retcode  term     date/time" "
sudo dump-acct /var/log/account/pacct | tail -5

Your output will look one thing like this:

Command         vers  runtime   systime   elapsed    UID    GID   mem_use     chars      PID     PPID  ?   retcode   time period     date/time
tail            |v3|     0.00|     0.00|     3.00|     0|     0|  8116.00|     0.00|  358190|  358188|     |       0|pts/1   |Sat Aug 15 11:30:05 2020
pacct           |v3|     0.00|     0.00|     3.00|     0|     0|  9624.00|     0.00|  358188|  358187|S    |       0|pts/1   |Sat Aug 15 11:30:05 2020
sudo            |v3|     0.00|     0.00|     4.00|     0|     0| 10984.00|     0.00|  358187|  354579|S    |       0|pts/1   |Sat Aug 15 11:30:05 2020
gmain           |v3|    14.00|     3.00|  1054.00|  1000|  1000|  1159680|     0.00|  358169|    3179|    X|       0|__      |Sat Aug 15 11:30:03 2020
vi              |v3|     0.00|     0.00|   456.00|  1000|  1000| 10976.00|     0.00|  358194|  354579|     |       0|pts/1   |Sat Aug 15 11:30:28 2020

Note that the headings are spaced out within the echo command in order that they are going to kind of line up with the info columns. Your model of the command may range. Go forward and modify the road if the labels do not line up correctly in your display.

The fields, in case they’’e not clear from the headings, embrace:

the command that was run
the model of the accounting file format
person time
system time
efficient time
person ID
group ID
common reminiscence utilization
IO
course of ID
mum or dad course of ID
?
return code
terminal on which the command was run
date and time when the command accomplished

Many of the processes proven will likely be system processes. If you wish to see solely the processes for a specific person, you’ll be able to pipe the output to an awk command to pick out particulars by userid (column 6). The quantity (1000) proven within the command under needs to be changed with the actual person’s numeric UID. Note that dump-acct makes use of the vertical bar as the sphere separator. The previous clean and following $ within the “/ 1000$” specification are required to make sure that the command matches solely that userid.

$ sudo dump-acct /var/log/account/pacct | awk -F'|' '$6 ~ / 1000$/'

Log rotation

The pacct information can get fairly giant, however needs to be rotated if you’re utilizing logrotate as evidenced within the following itemizing.

$ ls -ltr /var/log/account | tail -6
-rw-r----- 1 root adm   10229 Aug  9 08:39 pacct.4.gz
-rw-r----- 1 root adm   10020 Aug 10 08:40 pacct.3.gz
-rw-r----- 1 root adm 1190037 Aug 11 08:38 pacct.2.gz
-rw-r----- 1 root adm   10436 Aug 12 08:40 pacct.1.gz
-rw-r----- 1 root adm  110592 Aug 13 08:38 pacct.0
-rw-r--r-- 1 root adm  205056 Aug 14 13:57 pacct

Turning course of accounting off and again on

You can simply flip course of accounting off should you do not want the info or wish to unlock the disk house that it makes use of.

$ sudo /usr/sbin/accton off
Turning off course of accounting

The following command will flip it again on once more. The file used is the default, so doesn’t should be specified to begin or cease the accounting.

$ sudo /usr/sbin/accton on
Turning on course of accounting, file set to the default '/var/log/account/pacct'

Not a course of

One of the weird elements of course of accounting is that isn’t managed by a course of. You will not see a associated course of working if you study processes with the ps command. Instead, it is managed by the Linux kernel.

Wrap-Up

Process accounting can present a variety of particulars on processes which have run in your techniques. It lets you hold detailed accounting info on each system and person exercise together with the system assets used.

Copyright © 2020 , Inc.

Spread the love