Date: Mon, 13 Nov 2000 22:06:12 -0800 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Tim <tim@futuresouth.com> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: periodic and 310.accounting Message-ID: <20001113220612.A75251@149.211.6.64.reflexcom.com> In-Reply-To: <20001113155636.I10482@futuresouth.com>; from tim@futuresouth.com on Mon, Nov 13, 2000 at 03:56:36PM -0600 References: <20001112075532.A7158@futuresouth.com> <20001112134724.O75251@149.211.6.64.reflexcom.com> <20001112161350.A8992@futuresouth.com> <20001112145648.R75251@149.211.6.64.reflexcom.com> <20001113155636.I10482@futuresouth.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 13, 2000 at 03:56:36PM -0600, Tim wrote: > On Sun, Nov 12, 2000 at 02:56:48PM -0800, Crist J . Clark wrote: > > To view the information in the accounting files I have always used > > sa(8). You can get all of the same info out of the raw files as you > > can from the summary ones as far as sa(8) is concerned... I think. > > > > > I was looking > > > for the login times of a particular user and I believe I need the raw log > > > files for that. > > > > That information is not even from the /var/account files, that's in > > utmp and wtmp. That information is already archived by newsyslog which > > by default keeps three _months_ of old records (it used to keep a > > year's worth). See last(1). > > I am sorry, I should know better than post without thinking first. I > was looking for the times/dates that each command was executed. I think > that's in the raw files only. I believe so. Looking at the sa(8) source, it does nothing with the execution time. > > > It looks to me there is a small race condition with the 310.accounting > > > script. > > > > > > cp -pf acct acct.0 || rc=3 > > > sa -s >/dev/null || rc=3 > > > > > > wouldn't commands logged between the two statements be lost? > > > > Yes and no. No commands will be lost to the summary files (which is > > what is considered to be important), but there may be commands that > > are lost between the acct.0 file and the new acct files. > > Ok, I might still be confused here, but I personally don't care much > about the summary files but am interested more in the raw files, > specifically time/date each command was executed. That is in the raw files, but you are in the minority in wantung that. Most people who use accounting want totals for billing use, seeing what commands are most popular, etc. Since the accounting files are not particularly useful from a security point of view either, there is not a lot of demand to track command timing. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001113220612.A75251>