/var/log/pacct is empty

LQSlacker · 08-19-2016, 01:53 AM

I'm running Slackware 14.2 x86_64

I compiled 4.4.16, grep shows this for the process;

>grep -i process_acct /usr/src/linux/.config
CONFIG_BSD_PROCESS_ACCT=y
CONFIG_BSD_PROCESS_ACCT_V3=y

I ran; touch /var/log/pacct

And added this to rc.local;

# Turn process accounting on
if [ -x /sbin/accton ]; then
/sbin/accton /var/log/pacct
echo "Process accounting turned on"
fi

When I rebooted and did various things on my box and checked pacct, I noticed it was empty and 'lastcomm' shows no output at the terminal.

I don't understand why nothing is being logged to /var/log/pacct?

STDOUBT · 08-19-2016, 04:45 AM

Quote:

>grep -i process_acct /usr/src/linux/.config

What about grepping the kernel config that you're actually running?

/usr/src/linux/ is where you built yes?
What does this show?

Code:

 grep -i process_acct /boot/config-generic-smp-4.4.16-smp

(modify the above to the kernel you're running, of course)

Also, not sure if this matters but TLDP's page on this says the stansa should read:

Code:

# Turn process accounting on. 
if [ -x /sbin/accton ]
then 
		/sbin/accton /var/log/pacct 
		echo "Process accounting turned on." 
fi

I notice your code's a bit different.

Noryungi · 08-19-2016, 07:07 AM

This is what /etc/rc.d/rc.M says on my Slackware machine (13.1, soon to be 14.2):

Code:

# Turn on process accounting.  To enable process accounting, make sure the
# option for BSD process accounting is enabled in your kernel, and then
# create the file /var/log/pacct (touch /var/log/pacct).  By default, process
# accounting is not enabled (since /var/log/pacct does not exist).  This is
# because the log file can get VERY large.
if [ -x /sbin/accton -a -r /var/log/pacct ]; then
  chmod 640 /var/log/pacct
  /sbin/accton /var/log/pacct
fi

Does your /var/log/pacct file respect ''640'' (rw-r-----) in terms of rights?

Also, please note the warning contained in the comments...

suppy · 08-19-2016, 10:19 AM

Quote:

Originally Posted by STDOUBT

Code:

 grep -i process_acct /boot/config-generic-smp-4.4.16-smp

I'd rather suggest

Code:

 zgrep -i process_acct /proc/config.gz

LQSlacker · 08-19-2016, 03:39 PM

Ahh my bad, didn't realize in 14.2, in the rc.M it had the Process Acct section, so I removed the one from the rc.local.

Yes permissions are the same;

>ls -l pacct
-rw-r----- 1 root root 0 Aug 18 14:47 pacct

What warning in comments?

I did touch /var/log/pacct if this is what you're referring to?

zgrep -i process_acct /proc/config.gz
CONFIG_BSD_PROCESS_ACCT=y
CONFIG_BSD_PROCESS_ACCT_V3=y

Still nothing shows in the log.

Do I need Audit support or should I check the kernel for other support that needs to be compiled in?

I also didn't do a full install of Slack, I'm wondering if there's something else that acct is going to need, in order to work?

With the process acct, my understanding, anything you do at the term, mkdir, rm, cd, ls, etc., is going to show in the log?

suppy · 08-19-2016, 04:23 PM

Well, do you have the /sbin/accton binary? and is it executable?

Code:

 ls -l /sbin/accton

LQSlacker · 08-19-2016, 04:34 PM

Yes of course I installed acct-6.5.4-x86_64-2

>ls -l /sbin/accton
-rwxr-xr-x 1 root root 8704 Oct 23 2013 /sbin/accton

LQSlacker · 08-19-2016, 04:46 PM

Looking at man accton;

accton [OPTION] on|off|filename

--help says the same thing...

>accton --help
Usage: accton [OPTION] on|off|ACCOUNTING_FILE

Turns process accounting on or off, or changes the file where this
info is saved.

OPTIONS:
-h, --help Show help and exit
-V, --version Show version and exit

ARGUMENTS:
on Activate process accounting and use default file
off Deactivate process accounting
ACCOUNTING_FILE Activate (if not active) and save information in
this file

The system's default process accounting file is '/var/log/pacct'.

Report bugs to <bug-acct@gnu.org>

So then I ran accton off & accton on and I'm finally seeing activity!

SO looking over man showing; on|off|filename I don't get why the rc.M entry is not working?

if [ -x /sbin/accton -a -r /var/log/pacct ]; then
chmod 640 /var/log/pacct
/sbin/accton /var/log/pacct
echo "Process accounting turned on"
fi

/sbin/accton /var/log/pacct is not working, is this working for others? If so, since I didn't do a full install of slack, could I be missing something needed, to make this function?

LQSlacker · 08-19-2016, 09:39 PM

Not trying to bump here, just wanted to seperate the posts...

Ok I ran the stock 4.4.14 kernel and it worked...

So now I appear to be missing something from the kernel, but it's my understanding it only needs the BSD Process Accounting.

Under 'CPU/Task time and stats accounting' I have all the same options compiled in as the stock kernel.

The thing is, with my kernel, when I log into X and run these cmds it works;

rm /var/log/pacct
touch /var/log/pacct
chmod 640 /var/log/pacct
accton off
accton on

Sometimes I noticed I only had to run accton off and accton on and it worked and other times I had to run all the cmds above to get it running...

I'm lost with this, not understanding what's missing from my kernel, and why this isn't running from the rc.M?

Noryungi · 08-20-2016, 10:21 AM

The issue is that (if I understand well) you are turning process accounting on and off several times, without restarting your system.

The /etc/rc.d/rc.M file is executed only once, as the system is going into multi-user mode.

If turning process accounting on and off is what you are looking for, then you should probably run the commands you listed in order to run or stop process accounting.

Please be aware that turning process accounting on consumes a lot of disk space in the log file -- this is why I mentioned the warning (followed by a

)

LQSlacker · 08-20-2016, 05:27 PM

No, if I restart the system with the stock 4.4.14 kernel then rc.M is working to start acct and I see logging happening.

If I restart with my kernel I compiled 4.4.18 I am not seeing rc.M working, it does say at the console that Process Accounting is on, but the logs are empty and lastcomm shows nothing.

So for now I'm trying to figure out what I'm missing in the kernel, I thought all I needed was the BSD Process Accounting, which I have all the same options compiled in as the stock kernel.

suppy · 08-20-2016, 06:39 PM

so, start with a diff of the configs between stock kernel and your kernel, and see if you find anything that looks relevant, then try changing that and see if it works.

then you'd go over the changes one by one until you get a kernel that works for you..

Edit:

... or just stick with the stock kernel ...

LQSlacker · 08-20-2016, 07:52 PM

Yes what's relevant to Accounting is the question here, and who knows the answer?

I certainly know all the differences I've made to the kernel, but none of them stick out as Accounting related.

Here's the real kicker, acct works, it just doesn't run from an rc script, as I mentioned before. As root, once logged into X I can run it manually and it's working, but for some odd reason, most of the time I have to rm /var/log/pacct then touch /var/log/pacct and chmod 640 /var/log/pacct THEN accton on and it's working....

If the support to work wasn't there, then running it manually would have no effect, the problem here really is, what is in the stock kernel allowing it to start from the rc.M script?

Hmm

LQSlacker · 08-20-2016, 11:53 PM

Something else I just noticed since my last reply, I just compiled 4.4.19 making changes I thought would help, but didn't.

When I rebooted the new kernel and at the console, I ran as root; 'accton off', 'accton on', and lastcomm, and there was nothing.

BUT when I logged into X and ran the cmds over it worked, WHAT THE HECK! Why it doesn't start out in the console, but it does in X...

Hmm this thing is getting weirder by the second, but maybe this will explain something?

Errr :/

LQSlacker · 08-22-2016, 07:49 PM

I spent the entire day a few days ago going over this, numerous times recompiing the kernel over.

I finally came to realize one thing, there seems to be a bug here with this application, in what respect, I don't know, but let me explain, what I finally came to conclude, and if this is not a bug here, then hopefully someone can explain what is going on...

I grabbed at the below URL the config-huge 4.4.14 kernel config of Slackware;

http://mirrors.slackware.com/slackwa...config-x86_64/

I made only 2 changes to this kernel and then compiled it.

1. I removed 'CONFIG_BLK_DEV_INITRD' - Initial RAM filesystem and RAM disk (initramfs/initrd) support
I also do not even use this on my box, so I don't see how/why this would also have an effect.

2. Next I changed the CONFIG_DEFAULT_HOSTNAME="darkstar" to the hostname of 'none', another option I do not see how/why this would also have an effect.

3. When I rebooted this kernel and logged into the console, lastcomm did not show anything, I then tried running accton off & accton on, still nothing working, then when I logged into X and ran accton off & accton on, then lastcomm worked.... Hmm

4. Here is the rc.M entry calling this at startup;

if [ -x /sbin/accton -a -r /var/log/pacct ]; then
chmod 640 /var/log/pacct
/sbin/accton /var/log/pacct
fi

How can this not work at startup and not turn on acct, when only removing 'Initial RAM filesystem and RAM disk' when it's not even being used on the box, and changing the hostname in the kernel? If I don't change these options it works. Also then, why wouldn't accton on work out in the console, but it then works in X?

I don't see how this is a problem with Slackware, there appears to be some kind of odd bug with acct.

Now this isn't just the end of the insanity, I can leave these 2 options alone and change anything in the kernel, and for some reason it still acts up the same way. I'm not saying everything you change causes it not to work, but changes that are not even related to BSD Process accounting...