use-acct

  • 导航 (返回顶部)
1. 简介
2. 安装使用流程
3. 主要命令
	3.1 ac
	3.2 lastcomm
		3.2.1 运行状态
		3.2.2 选项:
		3.2.3 输出列
		3.2.4 flags
		3.2.5 使用中遇到的一些问题
	3.3 sa
		3.3.1 文件
		3.3.2 输出字段:
		3.3.3 选项: 
		3.3.4 使用选项输出列:

1. 简介

https://aur.archlinux.org/packages/acct/
https://www.gnu.org/software/acct/
https://www.gnu.org/software/acct/manual/accounting.html
http://ftp.gnu.org/gnu/acct/
注: (2020-07)最近的版本: acct v6.6.4 2017-07-02 手册则是: v6.6.2 2015-08-19
https://www.kernel.org/doc/Documentation/accounting/
https://man7.org/linux/man-pages/man5/acct.5.html
GNU Accounting Utilities提供了用于GNU/Linux和其他系统的登录和处理会计实用程序。

2. 安装使用流程

Arch Linux的安装:
https://szosoft.blogspot.com/2020/07/instell-gnu-acct.html
https://www.cnblogs.com/sztom/p/13276269.html
acct 软件包安装时在 /etc/logrotate.d 目录安装了转储配置文件,且文件名也是 acct 。

启用
$ sudo systemctl enable acct.service
$ sudo systemctl start acct.service

查看: 使用 ac, sa, lastcomm等命令查看结果

3. 主要命令

3.1 ac

显示有关连接时间的统计信息. (就是统计开机时间)
默认存储文件: /var/log/wtmp
常用选项: -ad 每天登录小时; -d 每次登录小时; -p 每个用户总登录小时; -d tom 这个用户每次登录小时; -da tom 这个用户每天登录小时.
$ ac -ad |grep 24.00 |wc -l   // 292

3.2 lastcomm

列出最后执行的命令
默认存储文件: /var/log/account/pacct

3.2.1 运行状态

查看状态
$ sudo systemctl status acct.service

可以用这个观察记录行的增加速度.
$ watch -d 'sudo lastcomm --pid|wc -l'
注: 长时间使用这行命令并不好, 因为每2秒执行一次, 这行命令本省会添加很多pid到文件中, 增加后续查看分析的难度.

$ sudo stat /var/log/account/pacct
可查看这2个时间就是当前, 表示acct仍在正常工作. (本机遇到过, serice未停止, 但acct却停止的状况.)
Modify: 2020-07-13 22:59:35.350211383 +0800
Change: 2020-07-13 22:59:35.350211383 +0800

如果以上命令发现,状态是运行,或退出. 但lastcomm查询的记录行并没有增加, 说明它已经停止了. 重新打开:
$ sudo accton on
或者先关闭服务,再开启服务.

$ sudo fuser -v /var/log/account/pacct
$ sudo lsof /var/log/account/pacct
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1001/gvfs
      Output information may be incomplete.

3.2.2 选项:

--strict-match Print only entries that match *all* of the arguments on the command line. 严格匹配
--print-controls Print control characters. 打印控制字符。
--user name List records for user with name. This is useful if you're trying to match a username that happens to be the same as a command (e.g., ed ). 列出具有名称的用户的记录。
可以匹配碰巧与命令相同的用户名(e.g., ed ).
--command name List records for command name. 列出命令名称的记录。
--tty name List records for tty name. 列出tty名称的记录。
--forwards Read file forwards instead of backwards.
This avoids trying to seek on the file and can be used to read from a pipe.
This must be specified prior to any -f arguments.
向前而不是向后读取文件。
这样可以避免尝试在文件上查找,并可用于从管道读取。
必须在任何-f参数之前指定它。
-f filename, --file filename Read from the file filename instead of acct.
A filename of "-" will result in reading from stdin.
This must either be the first -f option, or --forwards must precede all -f options.
从文件名而不是acct中读取。
文件名“-”将导致从标准输入中读取。
这必须是第一个-f选项,或者--forwards必须在所有-f选项之前。
--ahz hz Use this flag to tell the program what AHZ should be (in hertz).
This option is useful if you are trying to view an acct file created on another machine which has the same byte order and file format as your current machine, but has a different value for AHZ.
使用此标志告诉程序AHZ应该是多少(以赫兹为单位)。
如果尝试查看在另一台计算机上创建的acct文件,该文件具有与当前计算机相同的字节顺序和文件格式,但AHZ的值不同,则此选项很有用。
-p, --show-paging Print paging statistics. 打印分页统计信息。
--pid Show PID and PPID of the process if acct version 3 format is supported by kernel. 如果内核支持acct版本3格式,则显示进程的PID和PPID。
--pid Add pid of the process and pid of the process parent to the output (pid is the last but one and parent pid the last column).
These values are shown only when they are generated by acct function (depends on the version of kernel)
将流程的pid和流程的父pid添加到输出中(pid是最后一个,但父pid是最后一列)。
这些值仅在由acct函数生成时显示(取决于内核的版本)
--debug Print verbose internal information. 打印详细的内部信息。
-V, --version Print the version number of lastcomm. 打印lastcomm的版本号。
-h, --help Prints the usage string and default locations of system files to standard output and exits. 将使用情况字符串和系统文件的默认位置打印到标准输出并退出。

3.2.3 输出列

  • CMD: 进程的命令名
  • flags: 标志
  • USER: 命令的执行用户
  • TTY: 命令的执行终端
  • Use cpu secs: 命令的执行时间
  • Start time: 命令开始时间

3.2.4 flags

S F C D X X: command was terminated with the signal SIGTERM X-命令以信号SIGTERM终止
| | | D: command terminated with the generation of a core file D-命令终止并生成核心文件
| | C: command run in PDP-11 compatibility mode (VAX only) C-以PDP-11兼容模式运行命令(仅VAX)
| F: command executed after a fork but without a following exec F-在派生后执行但没有后续exec的命令
S: command executed by super-user S-超级用户执行的命令

3.2.5 使用中遇到的一些问题

这部分翻译为英文发送了邮件, 希望这个软件还能有人更新. 或者有其他更好的选择. 这里直接粘贴mail原文:
==================================================
Sorry to bother you. I tried 'acct'.
https://www.gnu.org/software/acct/
https://aur.archlinux.org/packages/acct/
Their problems are:
1. 'lastcomm' output short command (no options), the maximum length is only 15. Since there are no options, you don't know what it does exactly.
2. 'lastcomm --pid': can output (pid, ppid). But not all, using pid sorting, you will find that many pids are missing. Some processes are not recorded.
(If anybody has been using 'acct', you can help me confirm the two questions above.)

I don't know if the acct program still has problems, Or "My Local Environment" may have been maliciously tampered with, So the correct data cannot be obtained.

3. Required filtering options (per boot to the next boot), For example:
Just want to see the list from start boot to current; List of last start boot to shutdown or reboot.

If export to a file, and then do the analysis. Their problems are:
4. Import excel sheet. There will be problems with the text to columns, because the width is inconsistent, so you cannot use fixed-width the text to columns.
 (The length of 'pid, ppid' is inconsistent, Resulting in a change in the column width)
If fix the 'pid, ppid' width and write to the configuration file, the default is 6 digits, which is not enough to modify the configuration, there is no problem.

5. Use 'awk' spaces to separate columns, The number of columns is inconsistent, such as:
'command' column: some will have blanks, some with spaces in the middle (dconf worker). So there may be 0 columns, 1 column, 2 columns.
If not limit the length of 'command' and move this column to the last column, there is no problem.

'flags' column: some will have blanks, some with spaces in the middle. So there may be 0 columns, 1 column, 2 columns.
If the blank part of the output uses a (-), like this : (S---X) there is no problem.
S   X > S---X
 F  X > -F--X
SF  X > SF--X
 F DX > -F-DX

Actually, I need this list. From turn on the computer until now. Don't miss any [PID] (still running [PID], already ended [PID]).
List field: PPID, PID, Threads, USER, Start-time, Change-time, End-time, full-Command
Among:
[Start-time]: Start time of the process
[Change-time]: Process change time. When [PPID] or [full-command] changes
[End-time]: The end time of the process.

I'm not a programmer, so I can't do anything.
But I hope someone can continue to improve this software,
Or there could be better options.
Or at least add some requirements to the to-do list.

Thank you for your time.
==================================================
awk '{print $3"\t"$10,$11,$12,$13,$14,$15,$16}' pidstats.log |sort |uniq -c |sort -rn |grep -vEw 'chromium|man|less|kworker|ss|python|/bin/sh'
awk '{print $1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14}' OFS="\t" lastcomm-pid-0710.1.log > lastcomm.t.log

3.3 sa

3.3.1 文件

将acct文件中的信息汇总到 savacct和usracct文件中。它还会生成有关命令的报告,给出调用次数,使用的cpu时间,平均内核使用率等。
/var/log/account/pacct
/var/log/account/savacct  by cmd
/var/log/account/usracct  by user

3.3.2 输出字段:

  • cpu, cp: sum of system and user time in cpu minutes系统和用户时间的总和(以CPU分钟为单位)
    • (-l) u: user cpu time in cpu seconds用户cpu时间(以cpu秒为单位)
    • (-l) s: system time in cpu seconds以cpu秒为单位的系统时间
  • re: 'elapsed time' in minutes以分钟为单位的“经过时间”
  • k: cpu-time averaged core usage, in 1k unitsCPU时间平均核心使用量,以1k为单位
  • avio: average number of I/O operations per execution每次执行的平均I / O操作数
    • (-D) tio: total number of I/O operationsI / O操作总数
  • (-K) k*sec: cpu storage integral (kilo-core seconds)cpu存储积分(千核心秒)

3.3.3 选项:

排序选项

-b, --Sort-sys-user-div-calls Sort the output by the sum of user and system time divided by the number of calls. 用用户和系统时间的总和除以呼叫数对输出进行排序。
-d, --Sort-avio Sort the output by the average number of disk I/O operations. 按磁盘I / O操作的平均数量对输出进行排序。
-D, --Sort-tio Print and Sort the output by the total number of disk I/O operations. 按磁盘I / O操作总数对输出进行打印和排序。
-k, --Sort-cpu-avmem Sort the output by cpu time average memory usage. 按cpu时间平均内存使用量对输出进行排序。
-K, --Sort-ksec Print and Sort the output by the cpu-storage integral. 通过cpu-storage积分打印输出并对输出进行排序。
-n, --Sort-num-calls Sort the output by the number of calls. This is the default Sorting method. 按呼叫数量对输出进行排序。这是默认的排序方法。
-r, --reverse-Sort Sort output items in reverse order. 以相反的顺序对输出项目进行排序。
--Sort-real-time Sort the output by the "real time" field. 按“实时”字段对输出进行排序。

输出全部细分行

-a, --list-all-names Force sa not to Sort those command names with unprintable characters and those used only once into the ***other group. 强制sa不要将那些带有不可打印字符的命令名和仅使用一次的命令名归入***其他组。

列选项

-c, --percentages Print percentages of total time for the command's user, system, and real time values. 打印命令的用户,系统和实时值的总时间百分比。
-f, --not-interactive When using the `--threshold' option, assume that all answers to interactive queries will be affirmative. 当使用`--threshold'选项时,假设对交互式查询的所有答案都是肯定的。
-i, --dont-read-summary-files Don't read the information in the system's default savacct file. 不要读取系统默认的savacct文件中的信息。
-j, --print-seconds Instead of printing total minutes for each category, print seconds per call. 而不是打印每个类别的总分钟数,而是打印每个呼叫的秒数。
-l, --separate-times Print separate columns for system and user time; usually the two are added together and listed as `cpu'. 打印系统和用户时间的单独列;通常将两者加在一起并列为“ cpu”。
-p, --show-paging Print the number of minor and major pagefaults and swaps. 打印次要和主要的页面错误和交换的数量。
-P, --show-paging-avg Print the number of minor and major pagefaults and swaps divided by the number of calls. 打印次要和主要页面错误和交换的数量除以调用数量。
-t, --print-ratio For each entry, print the ratio of real time to the sum of system and user times. If the sum of system and user times is 对于每个条目,打印实时时间与系统时间和用户时间之和的比率。如果系统时间和用户时间之和为
--separate-forks It really doesn't make any sense to me that the stock version of sa separates statistics for a particular executable 对我来说,sa的普通版本分隔特定可执行文件的统计信息对我来说真的没有任何意义。

其他选项

-m, --user-summary Print the number of processes and number of CPU minutes on a per-user basis. 按用户汇总进程数和CPU分钟数。
-s, --merge Merge the summarized accounting data into the summary files savacct and usracct. 将汇总的会计数据合并到摘要文件savacct和usracct中。
-u, --print-users For each command in the accounting file, print the userid and command name. After printing all entries, quit. *Note*: this 对于计费文件中的每个命令,打印用户标识和命令名称。打印所有条目后,退出。 *注意*:此
-v num --threshold num Print commands which were executed num times or fewer and await a reply from the terminal. If the response begins with `y', 打印命令执行的次数不超过num次,并等待终端的答复。如果响应以“ y”开头,
--ahz hz Use this flag to tell the program what AHZ should be (in hertz). This option is useful if you are trying to view an acct 使用此标志告诉程序AHZ应该是多少(以赫兹为单位)。如果您尝试查看帐户,则此选项很有用
--debug Print verbose internal information. 打印详细的内部信息。
-V, --version Print the version number of sa. 打印sa的版本号。
-h, --help Prints the usage string and default locations of system files to standard output and exits. 将使用情况字符串和系统文件的默认位置打印到标准输出并退出。
--other-usracct-file filename Write summaries by user ID to filename rather than the system's default usracct file. 通过用户ID将摘要写入文件名,而不是系统的默认usracct文件。
--other-savacct-file filename Write summaries by command name to filename rather than the system's default SAVACCT file. 通过命令名称将摘要写入文件名,而不是系统的默认SAVACCT文件。
--other-acct-file filename Read from the file filename instead of the system's default ACCT file. 从文件名而不是系统的默认ACCT文件中读取。

3.3.4 使用选项输出列:

type Options: 列数 次数 re cp re/cp min, /c maj, /c swp, /c avio k cmd
Sort -b 6 次数 re cp         avio k cmd
-d 6 次数 re cp         avio k cmd
-D 6 次数 re cp         tio k cmd
-k 6 次数 re cp         avio k cmd
-K 6 次数 re cp         avio k*sec cmd
-n 6 次数 re cp         avio k cmd
-r 6 次数 re cp         avio k cmd
--sort-real-time 6 次数 re cp         avio k cmd
All -a 6 次数 re cp         avio k cmd
Row -c 9 次数, % re, % cp, %         avio k cmd
-f 6 次数 re cp         avio k cmd
-i 6 次数 re cp         avio k cmd
-j 6 次数 re cp         avio k cmd
-l 7 次数 re u, s         avio k cmd
-p 7 次数 re cp   min maj swp     cmd
-P 7 次数 re cp   min/c maj/c swp/c     cmd
-t 7 次数 re cp re/cp       avio k cmd
--separate-forks 6 次数 re cp         avio k cmd
Sum -m 5 次数 re cp         avio k  

补充说明: -a, --list-all-names
***other*  其他组包括: 第一列, 次数为1的; 最后一列, cmd包含不可打印字符的行.

你可能感兴趣的:(use-acct)