/ file structures / Acct - Execution Accounting File

acct - execution accounting file
#include <sys/types.h>
#include <sys/acct.h>
The kernel maintains the following acct information structure for all processes. If a process terminates, and accounting is enabled, the kernel calls the acct function call to prepare and append the record to the accounting file.

#define AC_COMM_LEN 16 
 * Accounting structure version 2 (current). 
 * The first byte is always zero. 
 * Time units are microseconds. 
struct acctv2 { 
	uint8_t  ac_zero;		/* zero identifies new version */ 
	uint8_t  ac_version;		/* record version number */ 
	uint16_t ac_len;		/* record length */ 
	char	  ac_comm[AC_COMM_LEN];	/* command name */ 
	float	  ac_utime;		/* user time */ 
	float	  ac_stime;		/* system time */ 
	float	  ac_etime;		/* elapsed time */ 
	time_t	  ac_btime;		/* starting time */ 
	uid_t	  ac_uid;		/* user id */ 
	gid_t	  ac_gid;		/* group id */ 
	float	  ac_mem;		/* average memory usage */ 
	float	  ac_io;		/* count of IO blocks */ 
	__dev_t   ac_tty;		/* controlling tty */ 
	uint16_t ac_len2;		/* record length */ 
	union { 
		__dev_t	  ac_align;	/* force v1 compatible alignment */ 
#define	AFORK	0x01			/* forked but not exec'ed */ 
/* ASU is no longer supported */ 
#define	ASU	0x02			/* used super-user permissions */ 
#define	ACOMPAT	0x04			/* used compatibility mode */ 
#define	ACORE	0x08			/* dumped core */ 
#define	AXSIG	0x10			/* killed by a signal */ 
#define ANVER	0x20			/* new record version */ 
		uint8_t  ac_flag;	/* accounting flags */ 
	} ac_trailer; 
#define ac_flagx ac_trailer.ac_flag 

If a terminated process was created by an execve , the name of the executed file (at most ten characters of it) is saved in the field ac_comm and its status is saved by setting one of more of the following flags in ac_flag: AFORK, ACOMPAT, ACORE and ASIG. ASU is no longer supported. ANVER is always set in the above structure.
lastcomm , acct , execve , sa
A acct file format appeared in VersionĀ 7 AT&T UNIX. The current record format was introduced on May 2007. It is backwards compatible with the previous format, which is still documented in <sys/acct.h> and supported by lastcomm and sa .
acct - process accounting file
accounting - Shorewall Accounting file