acct
—
execution accounting file
The kernel maintains the following acct information
structure for all processes. If a process terminates, and accounting is
enabled, the kernel calls the
acct(2)
function call to prepare and append the record to the accounting file.
#define AC_COMM_LEN 16
/*
* Accounting structure version 3 (current).
* The first byte is always zero.
* Time units are microseconds.
*/
struct acctv3 {
uint8_t ac_zero; /* zero identifies new version */
uint8_t ac_version; /* record version number */
uint16_t ac_len; /* record length */
char ac_comm[AC_COMM_LEN]; /* command name */
float ac_utime; /* user time */
float ac_stime; /* system time */
float ac_etime; /* elapsed time */
time_t ac_btime; /* starting time */
uid_t ac_uid; /* user id */
gid_t ac_gid; /* group id */
float ac_mem; /* average memory usage */
float ac_io; /* count of IO blocks */
__dev_t ac_tty; /* controlling tty */
uint16_t ac_len2; /* record length */
union {
uint32_t ac_align; /* force v1 compatible alignment */
#define AFORK 0x01 /* forked but not exec'ed */
/* ASU is no longer supported */
#define ASU 0x02 /* used super-user permissions */
#define ACOMPAT 0x04 /* used compatibility mode */
#define ACORE 0x08 /* dumped core */
#define AXSIG 0x10 /* killed by a signal */
#define ANVER 0x20 /* new record version */
uint8_t ac_flag; /* accounting flags */
} ac_trailer;
#define ac_flagx ac_trailer.ac_flag
};
If a terminated process was created by an
execve(2),
the name of the executed file (at most ten characters of it) is saved in the
field ac_comm and its status is saved by setting one
of more of the following flags in ac_flag:
AFORK
, ACOMPAT
,
ACORE
and ASIG
.
ASU
is no longer supported.
ANVER
is always set in the above structure.
A acct
file format appeared in
Version 7 AT&T UNIX. The current record
format was introduced on May 2007. It is backwards compatible with the
previous format, which is still documented in
<sys/acct.h>
and supported by
lastcomm(1)
and sa(8).