لطفا منتظر باشید ...
Recipe 9.40 Parsing the Process Accounting Log
9.40.1 Problem
You want to extract detailed information such as exit codes from the
process accounting log.
9.40.2 Solution
Read and unpack the accounting records with this
Perl
script:
#!/usr/bin/perl
use POSIX qw(:sys_wait_h);
use constant ACORE => 0x08; # for $flag, below
$/ = \64; # size of each accounting record
while (my $acct = <>) {
my ( $flag,
$uid,
$gid,
$tty,
$btime,
$utime,
$stime,
$etime,
$mem,
$io,
$rw,
$minflt,
$majflt,
$swaps,
$exitcode,
$comm) =
unpack("CxS3LS9x2LA17", $acct);
printf("%s %-16s", scalar(localtime($btime)), $comm);
printf(" exited with status %d", WEXITSTATUS($exitcode))
if WIFEXITED($exitcode);
printf(" was killed by signal %d", WTERMSIG($exitcode))
if WIFSIGNALED($exitcode);
printf(" (core dumped)")
if $flag & ACORE;
printf("\n"); }
exit(0);
9.40.3 Discussion
Even the dump-acct command [Recipe 9.39] misses some information recorded by the
kernel, such as the exit code. This is really the status that would
have been returned by wait(2), and includes the specific signal for
commands that were killed. To recover this information, attack the
accounting records directly with a short Perl script.Our recipe shows how to read and unpack the records, according to the
description in /usr/include/sys/acct.h. When we
run the script, it produces a chronological report that describes how
each process expired, e.g:
Sun Feb 16 21:23:56 2003 ls exited with status 0
Sun Feb 16 21:24:05 2003 sleep was killed by signal 2
Sun Feb 16 21:24:14 2003 grep exited with status 1
Sun Feb 16 21:25:05 2003 myprogram was killed by signal 7 (core dumped)
9.40.4 See Also
acct(5). The C language file
/usr/include/sys/acct.h describes the accounting
records written by the kernel.
