Under Solaris, process accounting logs each
process to /var/adm/pacct
.
The adm
user runs cron jobs that rotate
the pacct
file and generate statistics
in /var/adm/acct
.
The most common command to run is
lastcomm
, which will report the processes
that are listed in /var/adm/acct
.
Things can get complicated if there have been
lots of processes - the process accounting file
should get rotated periodically, so look for
files named /var/adm/pacctN
(where
N
is an integer)
and run lastcomm -f /var/adm/pacctN
.
/usr/cluster/etc/setupacct
.
This script does several things, one if which is that
/usr/lib/acct/runacct
is modified so
that the process accounting logs are saved in
/var/adm/acctbak
.
Try running ls -ltr /var/adm/acctbak
and running lastcomm -f filename
.
To get earlier process accounting logs, you will need to go back to the nightly backups, which are run from maury.
adm
user generates statistics about
users and processes. These statistics can be found
in /var/adm/acct
. Consult the
acct
man page for a summary of the various
commands that are run.
/var/adm/acct/nite/
has useful
summaries, in particular, see /var/adm/acct/nite/cms
The logs end up in /var/adm/acctback/wtmpx
To use the logs, do something like:
last -f /var/adm/acctback/wtmpx.1
/usr/lib/acct/runacct
was
modified to do the rotation with:
closewtmp # fudge a DEAD_PROCESS for /var/wtmpx cp ${_wtmpx} ${_nite}/${_date}.wtmpx acctwtmp "runacct" ${_nite}/${_date}.wtmpx # 9/30/02 save 60 days of logs [cxh] if [ ! -d /var/adm/acctbak/wtmpx ]; then mkdir /var/adm/acctbak/wtmpx; fi cp /var/adm/wtmpx /tmp /usr/local/etc/rotate_log -L /tmp -B /var/adm/acctbak/wtmpx -n 60 wtmpx 2>&1 > \ /var/adm/acctbak/wtmpx/rotate_log.log
/etc/passwd
having the
adm account have a noshell account (which was set up by
yassp).
The fix was to edit /etc/passwd
on each machine so that the adm line looked like:
adm:x:4:4:Admin:/var/adm:/bin/shand then to run
passwd -r files admand set the adm passwd - I chose the root passwd, but any passwd would work.
Symptoms of this problem can be seen by trying to do
su - admand not being able to log in. Also, on machines where cron logging was enabled,
/var/cron/log
contained messages like
! *** cron started *** pid = 27268 Tue Jul 1 23:58:08 2003 ! bad user (adm) Wed Jul 2 00:00:00 2003 ! bad user (adm) Wed Jul 2 01:00:00 2003 ! bad user (adm) Wed Jul 2 02:00:00 2003