Date: Sun, 12 Nov 2000 14:56:48 -0800 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Tim Tsai <tim@futuresouth.com> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: periodic and 310.accounting Message-ID: <20001112145648.R75251@149.211.6.64.reflexcom.com> In-Reply-To: <20001112161350.A8992@futuresouth.com>; from tim@futuresouth.com on Sun, Nov 12, 2000 at 04:13:50PM -0600 References: <20001112075532.A7158@futuresouth.com> <20001112134724.O75251@149.211.6.64.reflexcom.com> <20001112161350.A8992@futuresouth.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 12, 2000 at 04:13:50PM -0600, Tim Tsai wrote: > On Sun, Nov 12, 2000 at 01:47:24PM -0800, Crist J . Clark wrote: > > I wanted to point out that the "logs" are kept for much longer than > > three days. The raw accounting files are only kept for three days, but > > I believe that /var/account/savacct and /var/account/usracct are never > > touched by any of the distributed daily/weekly/monthly scripts. Your > > accounting information will be saved forever unless you remove it. > > savacct and usracct are just summary files though, right? To view the information in the accounting files I have always used sa(8). You can get all of the same info out of the raw files as you can from the summary ones as far as sa(8) is concerned... I think. > I was looking > for the login times of a particular user and I believe I need the raw log > files for that. That information is not even from the /var/account files, that's in utmp and wtmp. That information is already archived by newsyslog which by default keeps three _months_ of old records (it used to keep a year's worth). See last(1). > > > and > > > the much smarter way is the method used by /etc/newsyslog.conf. Actually, > > > I'd prefer to use newsyslog.conf to handle the accounting files as well. > > > > That is an interesting idea. The problem with that method is that you > > probably want to run a 'sa -s' command right when the logs are rotated > > in the same way newsyslog HUPs syslogd right after it does the > > rotations. > > True. It'll work for me though since I don't care much for the summary > information anyway. Also I meant to say that I'd prefer to use newsyslog > to handle the log files. I don't actually want to lump them into > /etc/newsyslog.conf. My script to run newsyslog could very well run sa > -s at the same time. > > It looks to me there is a small race condition with the 310.accounting > script. > > cp -pf acct acct.0 || rc=3 > sa -s >/dev/null || rc=3 > > wouldn't commands logged between the two statements be lost? Yes and no. No commands will be lost to the summary files (which is what is considered to be important), but there may be commands that are lost between the acct.0 file and the new acct files. > I can't > think of a way to work around this though. Or is there some special > system magic that I am missing? Notice that the 'acct' is never actually removed explicitly in the script. the sa(8) command truncates the acct file after reading in its information, so nothing is lost in the summary files. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001112145648.R75251>