Date: Mon, 13 Nov 2000 15:56:36 -0600 From: Tim <tim@futuresouth.com> To: cjclark@alum.mit.edu Cc: freebsd-stable@FreeBSD.ORG Subject: Re: periodic and 310.accounting Message-ID: <20001113155636.I10482@futuresouth.com> In-Reply-To: <20001112145648.R75251@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Sun, Nov 12, 2000 at 02:56:48PM -0800 References: <20001112075532.A7158@futuresouth.com> <20001112134724.O75251@149.211.6.64.reflexcom.com> <20001112161350.A8992@futuresouth.com> <20001112145648.R75251@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 12, 2000 at 02:56:48PM -0800, Crist J . Clark wrote: > To view the information in the accounting files I have always used > sa(8). You can get all of the same info out of the raw files as you > can from the summary ones as far as sa(8) is concerned... I think. > > > I was looking > > for the login times of a particular user and I believe I need the raw log > > files for that. > > That information is not even from the /var/account files, that's in > utmp and wtmp. That information is already archived by newsyslog which > by default keeps three _months_ of old records (it used to keep a > year's worth). See last(1). I am sorry, I should know better than post without thinking first. I was looking for the times/dates that each command was executed. I think that's in the raw files only. > > It looks to me there is a small race condition with the 310.accounting > > script. > > > > cp -pf acct acct.0 || rc=3 > > sa -s >/dev/null || rc=3 > > > > wouldn't commands logged between the two statements be lost? > > Yes and no. No commands will be lost to the summary files (which is > what is considered to be important), but there may be commands that > are lost between the acct.0 file and the new acct files. Ok, I might still be confused here, but I personally don't care much about the summary files but am interested more in the raw files, specifically time/date each command was executed. > > I can't > > think of a way to work around this though. Or is there some special > > system magic that I am missing? > > Notice that the 'acct' is never actually removed explicitly in the > script. the sa(8) command truncates the acct file after reading in its > information, so nothing is lost in the summary files. Right, but we definitely could lose information in the acct.* archives. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001113155636.I10482>