blob: a898191a6762aaa996e66eb7c379f6dbe9ec557c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
<table class="head">
<tr>
<td class="head-ltitle">ACCT(5)</td>
<td class="head-vol">File Formats Manual</td>
<td class="head-rtitle">ACCT(5)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">acct</code> — <span class="Nd">execution
accounting file</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp"><code class="In">#include
<<a class="In">sys/types.h</a>></code>
<br/>
<code class="In">#include <<a class="In">sys/acct.h</a>></code></p>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">The kernel maintains the following <var class="Fa">acct</var>
information structure for all processes. If a process terminates, and
accounting is enabled, the kernel calls the <a class="Xr">acct(2)</a>
function call to prepare and append the record to the accounting file.</p>
<div class="Bd Pp Li">
<pre>#define AC_COMM_LEN 16
/*
* Accounting structure version 3 (current).
* The first byte is always zero.
* Time units are microseconds.
*/
struct acctv3 {
uint8_t ac_zero; /* zero identifies new version */
uint8_t ac_version; /* record version number */
uint16_t ac_len; /* record length */
char ac_comm[AC_COMM_LEN]; /* command name */
float ac_utime; /* user time */
float ac_stime; /* system time */
float ac_etime; /* elapsed time */
time_t ac_btime; /* starting time */
uid_t ac_uid; /* user id */
gid_t ac_gid; /* group id */
float ac_mem; /* average memory usage */
float ac_io; /* count of IO blocks */
__dev_t ac_tty; /* controlling tty */
uint16_t ac_len2; /* record length */
union {
uint32_t ac_align; /* force v1 compatible alignment */
#define AFORK 0x01 /* forked but not exec'ed */
/* ASU is no longer supported */
#define ASU 0x02 /* used super-user permissions */
#define ACOMPAT 0x04 /* used compatibility mode */
#define ACORE 0x08 /* dumped core */
#define AXSIG 0x10 /* killed by a signal */
#define ANVER 0x20 /* new record version */
uint8_t ac_flag; /* accounting flags */
} ac_trailer;
#define ac_flagx ac_trailer.ac_flag
};</pre>
</div>
<p class="Pp">If a terminated process was created by an
<a class="Xr">execve(2)</a>, the name of the executed file (at most ten
characters of it) is saved in the field <var class="Fa">ac_comm</var> and
its status is saved by setting one of more of the following flags in
<var class="Fa">ac_flag</var>: <code class="Dv">AFORK</code>,
<code class="Dv">ACOMPAT</code>, <code class="Dv">ACORE</code> and
<code class="Dv">ASIG</code>. <code class="Dv">ASU</code> is no longer
supported. <code class="Dv">ANVER</code> is always set in the above
structure.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">lastcomm(1)</a>, <a class="Xr">acct(2)</a>,
<a class="Xr">execve(2)</a>, <a class="Xr">sa(8)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1>
<p class="Pp">A <code class="Nm">acct</code> file format appeared in
<span class="Ux">Version 7 AT&T UNIX</span>. The current record
format was introduced on May 2007. It is backwards compatible with the
previous format, which is still documented in
<code class="In"><<a class="In">sys/acct.h</a>></code> and supported
by <a class="Xr">lastcomm(1)</a> and <a class="Xr">sa(8)</a>.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">February 13, 2017</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
