On Sun, Nov 12, 2000 at 02:56:48PM -0800, Crist J . Clark wrote:
> To view the information in the accounting files I have always used
> sa(8). You can get all of the same info out of the raw files as you
> can from the summary ones as far as sa(8) is concerned... I think.
>
> > I was looking
> > for the login times of a particular user and I believe I need the raw log
> > files for that.
>
> That information is not even from the /var/account files, that's in
> utmp and wtmp. That information is already archived by newsyslog which
> by default keeps three _months_ of old records (it used to keep a
> year's worth). See last(1).
I am sorry, I should know better than post without thinking first. I
was looking for the times/dates that each command was executed. I think
that's in the raw files only.
> > It looks to me there is a small race condition with the 310.accounting
> > script.
> >
> > cp -pf acct acct.0 || rc=3
> > sa -s >/dev/null || rc=3
> >
> > wouldn't commands logged between the two statements be lost?
>
> Yes and no. No commands will be lost to the summary files (which is
> what is considered to be important), but there may be commands that
> are lost between the acct.0 file and the new acct files.
Ok, I might still be confused here, but I personally don't care much
about the summary files but am interested more in the raw files,
specifically time/date each command was executed.
> > I can't
> > think of a way to work around this though. Or is there some special
> > system magic that I am missing?
>
> Notice that the 'acct' is never actually removed explicitly in the
> script. the sa(8) command truncates the acct file after reading in its
> information, so nothing is lost in the summary files.
Right, but we definitely could lose information in the acct.* archives.
Tim
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
