man uakpacct
NAME
uakpacct - Filtered reporting of pacct* | Spacct* | nqacct* files
SYNOPSIS
uakpacct [-options]
DESCRIPTION
Many people consider the UNIX accounting files as useful only for resource
accounting information (e.g., chargeback). However, when you consider that
there are entries for any process termination including start time, elapse
time, resource consumption the accounting files can be an excellent tool
for problem isolation and determination.
The uakpacct command provides a formatted dump of UNIX accounting files
with various filtering options to select specific information. Filtering
options include:
by userid or uid;
by group or gid;
by cpu threshhold rates;
by number of CPU seconds consumed;
by number of mb character i/o;
by number of blocks read or written;
by minutes of elapsed time for the process;
by command name;
by tty name (in hex);
by accounting flag and termination signal;
by start or end time;
by start or end date.
For Cray Unicos systems uakpacct can also perform filtering on csa record
type. uakpacct is similar to the UNIX acctcom command (and others), but
with enhanced filtering and with source available for customization.
OPTIONS
General Options
-file file(s) to report from
Default -f /var/adm/pacct
-f /var/adm/day/pacct (for Cray Unicos)
Example -f "`ls -t /var/adm/Spacct*0308`"
Delimit multiple filenames with a space or comma.
-binary binary-output-filename
-output report-output-filename
-verbose verbose option
-event event reporting
Writes two lines for each pacct record.
First has the process start time and the second has the end time
(start plus elapsed) with the resource information.
The output from this can then be sorted for an approximate event log.
However, because the start time has resolution only to one second,
sorting is inaccurate unless record order is maintained on matching
times (file is originally ordered by process end).
-End End time display (vs. elapsed time)
-nolookup do not lookup uid->userid (*much* faster execution)
-lookup lookup gid->group (default is faster)
-80 produce short (<80 column) report
Produce a shorter report (less than 80 columns).
Information is similar to the -mgmt report except there is no implied rate
and the tty,flg,sig are displayed instead of elapsed,rate.
-mgmt produce 'management style' report
The normal display requires a 132 column screen in order to display
all available information. With -mgmt the display will fit within
80 columns with only the "most pertinent" information.
This option implies -rate 1 which can be over-riden.
-Start display start date even if equals end date
This option is applicable only in conjunction with -mgmt.
If specified, the end date will always be displayed.
Filtering Options
-uid uid
To select a uid (user) to report on.
-gid gid
To select a gid (group) to report on.
-user user1,[user2...]
To select one or more users to report on.
+user user1,[user2...]
To exclude one or more users.
-group group1[,group2...]
To select one or more groups to report on.
+group group1[,group2...]
To exclude one or more groups.
-cpu seconds
Threshold of cpu greater than seconds to select.
-CPU seconds
Threshold of system cpu greater than seconds to select.
-cio m-char
Threshold of mega-character i/o to select.
-brw blocks
Threshold of blocks read/write to select.
For Unicos/mk (CRAY_MPP) sysystems this is logical io requests.
-lapsed minutes
Threshold of elapsed minutes to select.
-command command1[,command2...]
To select one or more commands to report on.
Only eight characters of commands are preserved in acct files.
Wildcards are permitted when specifying command names, you
may need to specify with an escape depending on your shell,
such as: -c \*sh\*.
+command command1[,command2...]
To exclude one or more commands.
-tty tty1[,tty2...]
To select one or more tty names (in hex) to report on.
Each sepecified tty should be 8 hex digits or wildcarded.
Typically a tty of -1 (ffffffff) is used by most platforms
for non-terminal processes.
+tty tty1[,tty2...]
To exclude one or more ttys.
-aflag flag
To select a particular octal accounting flag.
Reference your acct.h file, for Digital UNIX:
AFORK 0001 has executed fork, but no exec
ASU 0002 used super-user privileges
ACCTF 0300 record type: 00 = acct
ACOMPAT 0004 used compatibility mode
ACORE 0010 dumped core
AXSIG 0020 killed by a signal
-signal hex-signal
To select a particular hexadecimal termination signal.
This masks off the lower 8 bits of ac_stat (see acct.h) for comparison.
See signal.h for a definition of signal meanings.
-time hh[:mm[:ss]] # start time after
-Time hh[:mm[:ss]] # end time before
-date [mm/]dd[/yy] # start date after
-Date [mm/]dd[/yy] # end date before
If a start date is not provided it will default to the date
of the first record read from the first accounting file.
If an end date is not provided it will default to the start date.
Start time defaults to 00:00:00 and end time defaults to 23:59:59.
+time hh[:mm[:ss]] # start time before
+Time hh[:mm[:ss]] # end time after
+date [mm/]dd[/yy] # start date before
+Date [mm/]dd[/yy] # end date after
These filters are like their '-' options except the
date time comparison is reversed.
It is possible to specify '-t 08:00 +t 08:15' to isolate
all processes starting between 08:00 and 08:15.
-at seconds
To select records starting or ending within the specified start|end
dates and times. This option is used to try and identify
child processes with parents since accounting records for most
flavors of UNIX do not maintain pid and ppid information.
See the examples.
Only -t,-T,-d,-D can be used with -at, the '+' time filters will fail.
-or
Typically different filters are logically and'd, this changes
behaviour to a logical or'ing. In other words, if any non-time
filter successfully matches the record is selected.
The '-or' is applied to time filters but only against time
filters. With other filters such as '-or -uid 7167 -gid 15'
if either filter matches the record is selected.
-rate pct
To specify a threshhold rate of CPU usage. The cpu seconds are divided
by the elapsed seconds to determine the rate.
This filter is useful for identifying processes which consumed more
than their fair share of CPU resources.
Under -mgmt the default value for -rate is 1% of cpu resources.
Cray Unicos[/mk] Specific Options
Note, uakpacct can process both pacct and nqacct files.
-Record Unicos-record-type-abbreviations
Specify via single character abbreviations Cray Unicos csa record
type, where:
* is all records
p is pacct records (process termination)
r is performance records
c is configuration records
n is nqs records
t is tape records
s is job start records
e is job end records
o is other records (such as multi-tasking or mpp)
x is unprintable records (for -binary)
default is pcnto record types.
If o is omitted, then -mpp will imply mpp records and -mut will
imply multi-tasking records.
-xcpu connect time and system call time
For Cray systems display ac_ctime (typically same as user cpu) and
ac_sctime (system call cpu time).
-mpp MPP-detail
For Cray MPP systems (such as T3E's), display cpu and io
metrics for every PE in an MPP record.
-mut multi-tasking detail
For multi-tasking records (e.g., Cray J90 systems) information is
displayed in the form:
/Multi-task: 8|12/ 19718-u 16270-c 1*14884 2*662 3*250 ...
where 8 of 12 cpu's were utilized for an aggregate user cpu time
of 19718 seconds and connected to 1 or more cpu's for 16270 seconds
with the 14884 seconds connected to 1 cpu, 662 seconds connected
to 2 cpus, etc.
-seqno seqno1,[seqno2...]
-jobid jobid1,[jobid2...]
-pid pid1,[pid2...]
The above three filters are applicable to Cray Unicos only.
The pid check is against both pid or ppid for a process.
The seqno check is applicable only to NQS (nqacct) records.
DISPLAY FORMAT (headers)
Two forms of display are used. The default is a record dump of all avail-
able information and the optional is the -mgmt 'management style' report.
Default format:
Date Time Start date and time of process
(also end date/time with -event)
Command UNIX command (first 8 characters)
userid Userid or UID
group Group or GID
tty Numeric (hex) tty designator
flg Termination accounting flag
sig Exit status (signal or errno)
ucpu_sec CPU seconds, user mode
scpu_sec CPU seconds, system mode
elapsed Elapased time (seconds)
mchar-io mega-character i/o
block-rw block read|write
avg.mem average memory usage
Cray Unicos csa format (pacct):
Following headers are added:
jobid jobid
pid pid
ppid ppid
and for Unicos/mk (CRAY_MPP) systems:
lio_req logical io requests (instead of block-rw)
M flag=Y if multiple PEs used
Note, for Cray Unicos or Unicos/mk csa accounting much additional
information is available. For csa command is displayed where tty
appears for other systems, jobid is displayed where
command was displayed, and pid and ppid are included at end.
For sig under U/mk reference wait(2) man for breakdown.
Cray Unicos csa format (non-pacct):
Headers for each record type will be printed with -verbose option.
Management style:
End_Date/Time End date and time
Start_hh:mm:ss Start date and time
Userid Userid
Command UNIX command
CPU_Sec CPU seconds (sum of user and system mode)
Elapsed Elapsed seconds
Rate CPU consumption rate
EXAMPLES
Default display, selecting a userid:
sxkac@java: date; uname -a
Thu Sep 4 16:01:18 AKDT 1997
OSF1 java.sois.alaska.edu V3.2 62 alpha
sxkac@java: uakpacct -u sxkac
Date Time Command userid group tty flg sig ucpu_sec...
---- ---- ------- ------ ----- --- --- --- --------...
19970904@160118:date :sxkac #0 :00600002 000 0: 0.0
19970904@160121:uname :sxkac #0 :00600002 000 0: 0.0
The above display was truncated intentionally, 132 columns are required
unless -mgmt or -80 are specified.
Following is a -tty filter requsting by a specific userid and any non-
terminal (tty is -1) commands:
snkac@java: uakpacct -tty ffffffff -u snkac -80
#End_Date/Time Start_hh:mm:ss Userid Command CPU_Sec :tty(hex) flg sig
#------------- -------- ------ ------- ------- :-------- --- ---
09/09 08:28:21 08:28:20 snkac popper 0.3 :ffffffff 002 0
09/09 08:58:21 08:58:18 snkac popper 0.4 :ffffffff 002 0
An -event report sorted by date and time (sorry, this one is not particu-
larly interesting):
sxkac@java: uakpacct -u sxkac -e | uakce -k1,68 | sort
---- ---- ____ ------- ------ ----- --- --- --- -------
0904@160118 11e0:date :sxkac #0 :00600002
0904@160118 11e0:date :sxkac #0 :00600002 000 0: 0.
0904@160121 11e1:uname :sxkac #0 :00600002
0904@160121 11e1:uname :sxkac #0 :00600002 000 0: 0.
0904@160126 11e2:uakpacct:sxkac #0 :00600002
0904@160126 11e2:uakpacct:sxkac #0 :00600002 000 0: 0.
Date Time seq# Command userid group tty flg sig ucpu_se
With event reports you can use the 'seq#' to associate interleaved records.
With event records the four digit year is omitted.
A -mgmt management style report requesting all processes which consumed
more than 15 minutes (900 seconds) of CPU from the entire days pacct*
files:
sxkac@glacier: uakpacct -cpu 900 -f "`ls /var/adm/pacct*`" -m
#End_Date/Time Start_hh:mm:ss Userid Command CPU_Sec Elapsed Rate
-------------- -------- ------ ------- ------- ------- ----
09/04 10:42:03 08:45:06 jnblb oracle 1026.9 7017.0 14.6
09/04 12:25:04 09/03 12:00:32 sxfinp oracle 4428.2 87872.0 5.0
From the example above, determine what jnblb was doing in Oracle.
Since children tend to start or end at the same time as their parents, by
filtering for processes within 30 seconds we can get a clue as to what was
being executed under Oracle:
sxkac@glacier: uakpacct -f /var/adm/pacct6 -m -r 0 \
> -T 10:42:03 -t 08:45:06 -at 30
#End_Date/Time Start_hh:mm:ss Userid Command CPU_Sec Elapsed Rate
-------------- -------- ------ ------- ------- ------- ----
09/04 10:42:03 08:45:06 jnblb oracle 1026.9 7017.0 14.6
09/04 10:42:04 08:45:05 jnblb RPBVLDT 3.1 7019.0 0.0
09/04 10:42:05 08:45:00 jnblb G0.19970 0.2 7025.0
09/04 10:42:05 08:45:00 jnblb ua_gur_r 0.0 7025.0
09/04 10:42:05 08:44:57 jnblb ksh 0.3 7028.0
The user was executing RPBVLDT program which may need modifications to more
efficiently execute. Note, for the management style report it was neces-
sary to over-ride the default '-rate 1' to find this.
RESTRICTIONS / NOTES
uakpacct has been tested under Digital UNIX v3.2g and v4.0b, IRIX 6.2 to
6.5, Cray Unicos 9.0 and 10.0, and Cray Unicos/mk 2.0. Suggestions for
enhancements or bug reports can be directed to dutools@ts.sois.alaska.edu.
uakpacct utilizes the cci command parser utilized by non-UNIX operating
systems instead of the traditional UNIX getopt() parsing. Actions and
options have been defined to "look like" UNIX style options, but can be
spelled out or abbreviated in many cases. For example '-u' is the same as
'-user'. In some cases, like '-cpu' options must be fully spelled out.
Required option length can be found by uakpacct -?. Because of this multi-
ple options must be space separated and the hyphen is part of the option
name.
Because the accounting information is very useful for problem isolation,
the general default behaviour of disposing of the pacct*->Spacct* files
each night is not recommended. For Digital UNIX the following change will
retain Spacct* files for a week which is typically long enough to make a
site's weekly backup cycle:
sxkac@nugget: diff /usr/sbin/acct/runacct /usr/local/sbin/runacct_ua
1a2,3
> #961209 sxkac cp /usr/sbin/acct/runacct /usr/local/sbin/runacct_ua
> #961209 sxkac use 'find -mtime +8' for rm of Spacct* files
400c402,404
< rm -f ${_adm}/Spacct*.${_date}
---
> # rm -f ${_adm}/Spacct*.${_date}
> find ${_adm}/Spacct*.* -mtime +8 -exec rm -f {} \;
> #
427,440d430
As of v0.9 nominal support for Unicos and Unicos/mk was added. Unicos/mk
includes a 'remote cpu time' which is added to system time. For both fla-
vors of Unicos base accounting records and reporting of several csa record
types (see -Record above) is supported as well as some additional filters.
Some sample (known values) Cray accounting files for both a J90 and a T3E
are included in the examples directory of the distribution.
ACKNOWLEDGEMENTS
The uakpacct utility was written at the University of Alaska.
RELATED INFORMATION
Files: sys/acct.h(4).
Commands: acctcom(8), uaklogin(8).
Unicos: csa(8).
IRIX: sat_interpret(1M).
DU: audit_tool(8).