NAME

acct — execution accounting file

SYNOPSIS

#include <sys/acct.h>

DESCRIPTION

The kernel maintains the following acct information structure for all processes. If a process terminates, and accounting is enabled, the kernel calls the acct(2) function call to prepare and append the record to the accounting file.

/* 
 * Accounting structures; these use a comp_t type which is a 3 bits base 8 
 * exponent, 13 bit fraction ``floating point'' number.  Units are 1/AHZ 
 * seconds. 
 */ 
typedef u_short comp_t; 
 
struct acct { 
	char	ac_comm[10];	/* name of command */ 
	comp_t	ac_utime;	/* user time */ 
	comp_t	ac_stime;	/* system time */ 
	comp_t	ac_etime;	/* elapsed time */ 
	time_t	ac_btime;	/* starting time */ 
	uid_t	ac_uid;		/* user id */ 
	gid_t	ac_gid;		/* group id */ 
	short	ac_mem;		/* memory usage average */ 
	comp_t	ac_io;		/* count of IO blocks */ 
	dev_t	ac_tty;		/* controlling tty */ 
#define	AFORK	0x01		/* forked but not execed */ 
#define	ASU	0x02		/* used super-user permissions */ 
#define	ACOMPAT	0x04		/* used compatibility mode */ 
#define	ACORE	0x08		/* dumped core */ 
#define	AXSIG	0x10		/* killed by a signal */ 
	char	ac_flag;	/* accounting flags */ 
}; 
 
/* 
 * 1/AHZ is the granularity of the data encoded in the comp_t fields. 
 * This is not necessarily equal to hz. 
 */ 
#define	AHZ	64 
 
#ifdef KERNEL 
struct vnode	*acctp; 
#endif

If a terminated process was created by an execve(2), the name of the executed file (at most ten characters of it) is saved in the field ac_comm and its status is saved by setting one of more of the following flags in ac_flag: AFORK, ACORE and ASIG.

The ASU and ACOMPAT flags are no longer recorded by the system, but are retained for source compatibility.

SEE ALSO

lastcomm(1), acct(2), execve(2), accton(8), sa(8)

HISTORY

A acct file format appeared in Version 7 AT&T UNIX.