OpenBSD manual page server

Manual Page Search Parameters

ACCT(5) File Formats Manual ACCT(5)

acctexecution accounting file

#include <sys/acct.h>

The kernel maintains the following acct information structure for all processes. If a process terminates, and accounting is enabled, the kernel calls the acct(2) function call to prepare and append the record to the accounting file.

/*
 * Accounting structures; these use a comp_t type which is a 3 bits base 8
 * exponent, 13 bit fraction floating point number.  Units are 1/AHZ
 * seconds.
 */
typedef u_int16_t comp_t;

struct acct {
	char	  ac_comm[10];	/* command name */
	comp_t	  ac_utime;	/* user time */
	comp_t	  ac_stime;	/* system time */
	comp_t	  ac_etime;	/* elapsed time */
	time_t	  ac_btime;	/* starting time */
	uid_t	  ac_uid;	/* user id */
	gid_t	  ac_gid;	/* group id */
	u_int16_t ac_mem;	/* average memory usage */
	comp_t	  ac_io;	/* count of IO blocks */
	dev_t	  ac_tty;	/* controlling tty */

#define	AFORK	0x01		/* fork'd but not exec'd */
#define	ASU	0x02		/* used super-user permissions */
#define	ACOMPAT	0x04		/* used compatibility mode */
#define	ACORE	0x08		/* dumped core */
#define	AXSIG	0x10		/* killed by a signal */
#define	APLEDGE	0x20		/* killed due to pledge violation */
#define	ATRAP	0x40		/* memory access violation */
	u_int8_t  ac_flag;	/* accounting flags */
};

/*
 * 1/AHZ is the granularity of the data encoded in the comp_t fields.
 * This is not necessarily equal to hz.
 */
#define	AHZ	64

#ifdef _KERNEL
int	acct_process(struct proc *p);
#endif

If a terminated process was created by an execve(2), the name of the executed file (at most ten characters of it) is saved in the field ac_comm and its status is saved by setting one or more of the following flags in ac_flag: AFORK, ASU, ACOMPAT, ACORE, and AXSIG.

lastcomm(1), acct(2), execve(2), accton(8), sa(8)

An acct file format first appeared in Version 7 AT&T UNIX.

June 8, 2017 OpenBSD-6.4