Under Solaris, process accounting logs each
process to <code>/var/adm/pacct</code>.
The <code>adm</code> user runs cron jobs that rotate
the <code>pacct</code> file and generate statistics
in <code>/var/adm/acct</code>.

<p>The most common command to run is
<code>lastcomm</code>, which will report the processes
that are listed in <code>/var/adm/acct</code>.
<p>Things can get complicated if there have been
lots of processes - the process accounting file
should get rotated periodically, so look for
files named <code>/var/adm/pacct<i>N</i></code>(where
<code><i>N</i></code> is an integer)
and run <code>lastcomm -f /var/adm/pacct<i>N</i></code>.

<h2>Yesterday's process accounting logs</h2>
While <a href="http://www.gigascale.org/infrax/faq/96.html">Solaris is being installed</a>,
process accounting is turned on by running
<code>/usr/cluster/etc/setupacct</code>.
This script does several things, one if which is that
<code>/usr/lib/acct/runacct</code> is modified so
that the process accounting logs are saved in
<code>/var/adm/acctbak</code>.   
<p>Try running <code>ls -ltr /var/adm/acctbak</code>
and running <code>lastcomm -f <i>filename</i></code>.
<p>To get earlier process accounting logs, you will 
need to go back to the nightly backups, which are 
run from maury. 

<h2>Accounting Summary Data</h2>
The <code>adm</code> user generates statistics about
users and processes.  These statistics can be found
in <code>/var/adm/acct</code>.  Consult the
<code>acct</code> man page for a summary of the various
commands that are run.
<br><code>/var/adm/acct/nite/</code> has useful
summaries, in particular, see <code>/var/adm/acct/nite/cms</code>

<h2>Who logged in when</h2>
Another modification that was made to the accounting
system is that records of who logged in when are preserved
for longer than one day.
<p>The logs end up in <code>/var/adm/acctback/wtmpx</code>
<p>To use the logs, do something like:
<pre>
last -f /var/adm/acctback/wtmpx.1
</pre>
<p><code>/usr/lib/acct/runacct</code> was
modified to do the rotation with:
<pre>
closewtmp       # fudge a DEAD_PROCESS for /var/wtmpx
cp ${_wtmpx} ${_nite}/${_date}.wtmpx
acctwtmp "runacct" ${_nite}/${_date}.wtmpx
# 9/30/02 save 60 days of logs [cxh]
if [ ! -d /var/adm/acctbak/wtmpx ]; then mkdir /var/adm/acctbak/wtmpx; fi
cp /var/adm/wtmpx /tmp
/usr/local/etc/rotate_log -L /tmp -B /var/adm/acctbak/wtmpx -n 60 wtmpx 2>&1 > \
      /var/adm/acctbak/wtmpx/rotate_log.log
</pre>

<h2><a name="admCronProblems">Problems with accounting</a></h2>
After patching in June, 2003, process accounting stopped
working, probably because the adm user cronjobs were
not running becauase of a combination of changes
to PAM and <code>/etc/passwd</code> having the
adm account have a noshell account (which was set up by
yassp).
<p> The fix was to edit <code>/etc/passwd</code>
on each machine so that the adm line looked like:
<pre>
adm:x:4:4:Admin:/var/adm:/bin/sh
</pre>
and then to run
<pre>
passwd -r files adm
</pre>
and set the adm passwd  - I chose the root passwd,
but any passwd would work.
<p>Symptoms of this problem can be seen
by trying to do <pre>su - adm</pre> and not
being able to log in.  Also, on machines
where cron logging was enabled, <code>/var/cron/log</code>
contained messages like
<pre>
! *** cron started ***   pid = 27268 Tue Jul  1 23:58:08 2003
! bad user (adm) Wed Jul  2 00:00:00 2003
! bad user (adm) Wed Jul  2 01:00:00 2003
! bad user (adm) Wed Jul  2 02:00:00 2003
</pre>