You want to extract detailed information such as exit codes from the process accounting log.

Read and unpack the accounting records with this Perl script:

#!/usr/bin/perl
use POSIX qw(:sys_wait_h);
use constant ACORE => 0x08;      # for $flag, below
$/ = \64;                           # size of each accounting record
while (my $acct = <>) {
        my (        $flag,
                $uid,
                $gid,
                $tty,
                $btime,
                $utime,
                $stime,
                $etime,
                $mem,
                $io,
                $rw,
                $minflt,
                $majflt,
                $swaps,
                $exitcode,
                $comm) =
                         unpack("CxS3LS9x2LA17", $acct);
        printf("%s %-16s", scalar(localtime($btime)), $comm);
        printf(" exited with status %d", WEXITSTATUS($exitcode))
                if WIFEXITED($exitcode);
        printf(" was killed by signal %d", WTERMSIG($exitcode))
                if WIFSIGNALED($exitcode);
        printf(" (core dumped)")
                if $flag & ACORE;
        printf("\n"); }
exit(0);

Even the dump-acct command [Recipe 9.39] misses some information recorded by the kernel, such as the exit code. This is really the status that would have been returned by wait(2), and includes the specific signal for commands that were killed. To recover this information, attack the accounting records directly with a short Perl script.

Our recipe shows how to read and unpack the records, according to the description in /usr/include/sys/acct.h. When we run the script, it produces a chronological report that describes how each process expired, e.g:

Sun Feb 16 21:23:56 2003 ls exited with status 0 Sun Feb 16 21:24:05 2003 sleep was killed by signal 2 Sun Feb 16 21:24:14 2003 grep exited ...