When accounting is enabled, the Unix kernel writes a record to a binary data file as each process terminates. These files are traditionally stored in the home directory of the standard user adm (/var/adm on most recent systems), although some current systems no longer use that account and simply run the accounting software as root. Nevertheless, for sentimental reasons, the examples in this chapter generally use /var/adm as the location of the accounting data files.
Records written to the rawaccounting file by the System V and BSD accounting systems contain the same data. It is only the ordering of the fields within each record that varies between the flavors (consult the /usr/include/sys/acct.h file for details). Accounting records contain the following data about each process that runs on the system:
Image name (for example, grep)
CPU time used (separated into user and system time)
Elapsed time taken for the process to complete (sometimes called “wall clock time”)
Time the process began
Associated user and group IDs
Lifetime memory usage (in BSD, the average use of the process’ lifetime; in System V, the aggregate sum of the memory in use at each clock tick)
Number of characters read and written
Number of disk I/O blocks read and written
Accounting flags associated with the process
Process’ exit status
Other binary data files store additional accounting data:
Contains data about each currently logged-in user.
login enters a record for each ...