Process accounting is the way to go, despite it sucking up lots of disk space. It’s not something I’d leave running unless you have a very grunty box but it’s very useful for problem solving since it basically tracks every process, a claim the simpler ‘snapshot of ps’ tools can’t match.

You basically turn it on with accton /var/account/pacct and the kernel then writes details of every process that exits, including:

• process name (not args, unfortunately).
• start time.
• elapsed time.
• user and system CPU times.
• exit code.
• memory, I/O, fault and swap statistics.
• process ID.
• parent process ID.

and a few other things.

You shut it down with a naked accton so all you people who laughed at Windows for using a Start button to shut down, HAH !! 🙂

There are two variants of records that can be logged, v1 and v3 – make sure you’re using the latest process accounting software and v3 records as they hold more useful information. The /usr/include/linux/acct.h file shows what you can get from there.

The records are all fixed size (regardless of version) and easy to process.

We’ve just recently finished a Linux agent for our performance monitoring software – I thought I’d jot this down while it’s still fresh in my memory.

One thing to watch out for are the comp_t fields – these are actually a weird exponent/mantissa type for holding a large range of values in 16 bits – the algorithm is pretty simple for turning it into a long:

comp_t ct = ?; long val = (ct & 0x1fff) << (((ct >> 13) & 0x7) * 3); 

Another thing is that some values are in clock ticks, not seconds, so you have to divide by the value returned by sysconf (_SC_CLK_TCK).