System Accounting -- General Information


About this document
    Related documentation
Setting up system accounting
The information generated by system accounting
How system accounting is initiated
System accounting directories
Space in /var for system accounting
Daytime processes
Nighttime processes
System accounting error information
About the accounting programs
Detailed information about runacct
Detailed information about monacct
Additional accounting possibilities
Recommended fixes

About this document

This document contains information on various aspects of system accounting for all levels of AIX Version 3.2 and AIX Version 4.

Related documentation

System accounting, which comes from BDS or System V, is documented in the AIX System Management Guide.

Additional information can also be found in the following book:
UNIX Administration Guide for System V
(Chapter 7 is on System Accounting)
by Rebecca Thomas and Rik Sarrow
Publisher: Prentice and Hall
ISBN 0-13-942889-5

The product documentation library can be accessed at the following URL:

Setting up system accounting

If the accounting software is not installed, it will need to be installed before setting up system accounting. The LPP is bosext2.acct.obj for AIX 3.2 and fileset bos.acct for AIX 4.

The information generated by system accounting

Accounting generates daily reports in /var/adm/acct/sum. The file names are rprtMMDD, where MM is the month and DD is the date.

The first of each month, a monthly report is created and the daily reports are removed. This is in /var/adm/acct/fiscal and is called fiscrptMM, where MM is the month. The report is for the previous month. For example, fiscrpt02 is the monthly report for January.

The reports contain the following information:

How system accounting is initiated

Follow the steps in the separate fax document entitled, "Set Up of System Accounting in AIX 4.x". The steps include:

System accounting directories

All accounting programs
Files linked to /usr/sbin/acct
wtmp, pacct and qacct files
Monthly reports
Working directory for nighttime accounting processes
Daily reports

The System Management Guide briefly describes each file in these directories.

Space in /var for system accounting

Accounting will cause /var to grow. Running accounting with defaults takes one physical partition (4MB) in /var; this may be increased to at least two physical partitions (8MB). Monitor /var to see if the size will need to be increased. Accounting is not the only reason that /var may be full; the queueing system is also in /var and may take up space if a lot of printing is done.

More detail about space used in /var

Each command that is run adds 40 bytes to the pacct file. So, 25000 commands a day requires 1 MB of free space in /var for the pacct files. This space is freed nightly.

The daily reports could require anywhere from 1-3 MB throughout the month. This space is freed at the end of each month. The monthly reports should require less than 1 MB of free space throughout the year. These numbers will vary with the amount of activity on the system.

Daytime processes

Logins and logouts are logged in /var/adm/wtmp. It is cleared out nightly by runacct. If accounting is not running, this file will grow. This file does not have to exist if accounting is not running, but it is useful. To see an ASCII version of wtmp, /etc/utmp, or /etc/security/failedlogin, use the fwtmp command.

All daily process activity is logged in /var/adm/pacct. Each process completed increases this file by 40 bytes. For heavily used systems, this file can use large amounts of space in /var.

/usr/sbin/acct/ckpacct checks the size of /var/adm/pacct and the amount of free space in /var. It is run from cron and should be run at intervals appropriate for the system.

If /var/adm/pacct is over 1000 blocks, ckpacct will switch the pacct file. This means it will copy pacct to pacct# (# starts with 1 and increases to the next unused number) and clear out pacct again.

If the free space in /var falls below 500 blocks, then ckpacct turns off accounting until space is made available. This will result in loss of accounting data during the period that accounting is turned off. ckpacct will turn accounting on again when more space is available. There is no notification unless the MAILCOM variable is set.

   MAILCOM="mail root adm" 
This can be set in the ckpacct and runacct scripts or in the /etc/environment file. If MAILCOM is set in both places the setting in ckpacct and runacct is used.

Nighttime processes

Accounting is kicked off by cron, usually during the late hours of the day. This occurs if the process is set up according to the set up fax mentioned in the "How system accounting is initiated" section of this document. The scripts that are usually run at night are:

Analyzes the amount of disk usage per user
Creates the daily reports
Runs once a month to create monthly reports from daily ones

See "About the accounting programs" for more information about these scripts.

System accounting error information

/var/adm/acct/nite/accterr contains the most system accounting error information.

/var/adm/acct/nite/active contains information about the steps that have been completed during the runacct script.

/var/adm/acct/nite/statefile lists the current state of runacct.

It is possible mail will not be received from cron because cron redirects output to the accterr file or to /dev/null; however, if the cron jobs are set up not to do this, there will be mail from cron.

Also, mail will not be received from the runacct script unless the MAILCOM line is uncommented in /usr/sbin/acct/runacct.

About the accounting programs


dodisk performs disk usage accounting on all file systems that have account = true in /etc/filesystems. dodisk creates a file for use by runacct called /var/adm/acct/nite/dacct. The dodisk command needs to be started at least 10-30 minutes before runacct to allow it to complete before runacct starts. If the dacct file is not finished before runacct tries to process it, unreliable data will exist in the daily reports.


ckpacct checks /var to ensure it does not run out of space. It also makes sure that /var/adm/pacct does not become too large and unmanageable. It accomplishes this by renaming pacct to pacctxx and starting a new pacct file when pacct grows over 500 disk blocks. The normal interval for running ckpacct is once an hour. It should be run more often on systems that are heavily used. The more commands that are run, the faster the pacct files grow.


runacct performs daily accounting and generates daily reports in the /var/adm/acct/sum directory. This command is divided into STATEs (procedures). If the process breaks, it can be started again at the correct STATE. Parameters should not be applied when using runacct unless trying to start the process over from a failed attempt. See the following section for more information.


monacct cleans up daily reports and creates a monthly report in /var/adm/acct/fiscal. See the following section for more information.

Detailed information about runacct

The runacct command can take two arguments; however, they should only be used to start a runacct that previously failed. The documentation states that the command usage is

   runacct [MMDD] [STATE ... ] 
but the correct syntax is
   runacct [MMDD [STATE]] 
Before restarting runacct, refer to the "Restarting runacct Procedures" in the product documentation for necessary cleanup to be performed; otherwise, the runacct command will fail to run properly.

If runacct is restarted, use the MMDD for the day that runacct was running (that is, if runacct failed on 0623, run runacct 0623). It will continue at the point of failure. A certain STATE can also be specified at which to start. This is necessary only if a STATE is skipped or redo one that has been done. The valid STATEs are:


Any state other than these is invalid and generates errors in the active file.

The following sections list the actions during each state of runacct.

Before the states begin

SETUP - basic set up of files to be used

WTMPFIX - fix any corruption in the wtmp file

CONNECT1 - produce connect time info in ctmp.h format

CONNECT2 - convert ctmp.h records to tacct records

PROCESS - create process accounting info

MERGE - Merge the ctacct and ptacct files together

FEES - Merge in fee accounting info

DISK - Merge in disk accounting Info

QUEUEACCT - merge in queue accounting info

MERGEACCT - create daily tacct files

CMS - create command summaries

USEREXIT - run any extra accounting programs

CLEANUP - Clean up temp files and write daily report

Detailed information about monacct

monacct performs these steps:

Additional accounting possibilities

The daily report might be all that is needed; however, the commands a specific user ran can be seen by running acctcom. It generates a file with one line for each command ran and indicates the time the command was run and who ran it. (See product documentation for a complete list of flags for the acctcom command. Only the minimum syntax is used in the examples that follow.)

Since runacct deletes the pacct files, which are needed by acctcom, run acctcom first or save the pacct files before runacct is run.

If acctcom is run before runacct, use the following syntax to run acctcom. Note that the output will be rather large.

   acctcom /var/adm/pacct* > somefile 

To save the pacct files before runacct, the recommended method is to change runacct to save the files before it continues processing:

  1. Become the adm user.

  2. Run the following commands:
       cd /var/adm 
       mkdir oldpacct     #(directory to save pacct files in) 
  3. Become the root user.

  4. Start an edit session on /usr/sbin/acct/runacct.

  5. Find the following line:
       mv ${_i} S${_i}.${_date} 
  6. Just above the line that you found, add the following:
       cp ${_i} /var/adm/oldpacct/${_i} 

If the modified runacct is run before acctcom, use the following syntax to run acctcom:

   acctcom /var/adm/oldpacct/pacct* > somefile 
   rm /var/adm/oldpacct/pacct* 

Recommended fixes

   APAR         AIX LEVEL
  IY04722        4.3.3

[ Doc Ref: 90605193914784     Publish Date: Spt. 28, 2000     4FAX Ref: 4182 ]