星期六, 2月 24, 2018

Acct with openSUSE Leap 42.3

Acct with openSUSE Leap 42.3

OS: openSUSE Leap 42.3 in Azure

之前看到的文章, How to Monitor User Activity with psacct or acct Tools
今天找機會來實作一下

先搜尋相關套件
在 openSUSE 這邊是 acct 套件

# zypper  search   acct
Loading repository data...
Reading installed packages...

S | Name                     | Summary                                                | Type      
--+--------------------------+--------------------------------------------------------+-----------
 | acct                     | User-Specific Process Accounting                       | package   

安裝 acct 套件

# zypper  install  acct
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
 acct

1 new package to install.
Overall download size: 65.7 KiB. Already cached: 0 B. After the operation, additional 161.1 KiB will be used.
Continue? [y/n/...? shows all options] (y): Y

確認服務狀態

# systemctl   status  acct.service
● acct.service - Process accounting
  Loaded: loaded (/usr/lib/systemd/system/acct.service; disabled; vendor preset: disabled)
  Active: inactive (dead)
    Docs: man:accton(8)

啟動 acct 服務

# systemctl  start  acct.service

再次觀察服務

# systemctl   status   acct.service
● acct.service - Process accounting
  Loaded: loaded (/usr/lib/systemd/system/acct.service; disabled; vendor preset: disabled)
  Active: active (exited) since Sat 2018-02-24 11:29:28 UTC; 3s ago
    Docs: man:accton(8)
 Process: 21556 ExecStart=/usr/sbin/accton /var/log/account/pacct (code=exited, status=0/SUCCESS)
 Process: 21552 ExecStartPre=/usr/bin/chmod 600 /var/log/account/pacct (code=exited, status=0/SUCCESS)
Main PID: 21556 (code=exited, status=0/SUCCESS)

設定開機啟動

# systemctl  enable  acct.service
Created symlink from /etc/systemd/system/multi-user.target.wants/acct.service to /usr/lib/systemd/system/acct.service.

確認相關設定

# systemctl  is-enabled  acct.service
enabled

參考網路上找到的 ac 指令 man page

# ac  --help
               Usage: ac [-dhpVy] [-f <file>] [people] ...
               [--daily-totals] [--individual-totals] [--file <file>]
               [--complain] [--reboots] [--supplants] [--timewarps] [--print-year]
               [--compatibility] [--print-zeros] [--debug] [--tw-leniency <value>]
               [--tw-suspicious <value>] [--version] [--help]

The system's default login accounting file is /var/log/wtmp

ac 是使用 /var/log/wtmp 來進行相關資訊報告
  • ac prints out a report of connect time (in hours) based on the logins/logouts in the current wtmp file. A total is also printed out.

wtmp 檔案如果用 vim 或是 cat 方式, 是人類看不懂的, 在網路上面搜尋之後, 是使用 last 指令來觀察

# last  -f   /var/log/wtmp
sakana   pts/0        110.50.148.40    Sat Feb 24 12:13   still logged in   
sakana   pts/0        110.50.148.40    Sat Feb 24 11:18 - 11:33  (00:15)    
reboot   system boot  4.4.104-39-defau Sat Feb 24 08:48 - 12:23  (03:34)  

接下來試試看 ac 指令

# ac
total        0.47

這個時候出現 0.47 ( 單位是上面的 in hours, 也就是 0.47 小時 )

以每日為單位的方式來統計
# ac   -d
Today total        0.50

以人為單位來統計

# ac   -p
sakana                               0.54
ines                                 0.00
total        0.54

指定某個使用者來統計

# ac  -p   sakana
sakana                               0.56
total        0.56

接下來測試 sa 指令

網路上找的 man page

# sa  --help

               Usage: sa [ options ] [ file ]
               
               options: [-abcdfiljkmnprstuDKP] [-v <num>] [--version] [--help]
               [--other-acct-file <name>] [--other-usracct-file <name>]
               [--print-seconds] [--dont-read-summary-files] [--debug]
                [--separate-times] [--other-savacct-file <name>] [--percentages]
                [--print-ratio] [--print-users] [--merge] [--user-summary] [--group-summary]
               [--list-all-names] [--not-interactive] [--threshold <num>]
                [--sort-ksec] [--sort-tio] [--sort-sys-user-div-calls] [--sort-avio]
                [--sort-cpu-avmem] [--sort-num-calls] [--sort-real-time] [--ahz hz]
      [--show-paging] [--show-paging-avg]

The system's default process accounting files are:

 raw process accounting data: /var/log/account/pacct
     summary by command name: /var/log/account/savacct
         summary by username: /var/log/account/usracct

這個指令比較有感覺的是 -m 選項
  • -m, --user-summary
    • Print the number of processes and number of CPU minutes on a per-user basis.

# sa  -m
                                    2542     707.54re       0.06cp         0avio      3570k
root                                 2411     544.83re       0.06cp         0avio      3412k
sakana                                 44      61.46re       0.00cp         0avio      4106k
sshd                                   43       2.17re       0.00cp         0avio     11906k
ines                                   43       0.00re       0.00cp         0avio      3388k
postfix                                 1      99.07re       0.00cp         0avio      9006k

還有 -c 選項, 使用百分比方式來顯示, 比較好即時判斷哪些指令使用較多的 cpu time
  • -c, --percentages
    • Print percentages of total time for the command's user, system, and real time values.

# sa  -c
   3055  100.00%     757.85re  100.00%       0.10cp  100.00%         0avio      3604k
   2170   71.03%       0.40re    0.05%       0.04cp   44.02%         0avio      3234k   iptables
     38    1.24%       0.26re    0.03%       0.02cp   18.02%         0avio      4176k   find
      8    0.26%      15.40re    2.03%       0.01cp    8.15%         0avio      9132k   systemd
      5    0.16%       2.16re    0.29%       0.01cp    6.24%         0avio      5964k   man

先說一下 sa 指令對自己的感覺
  • 可以使用 sa -m 來找出登入使用者真的有在操作指令的人
    • 同樣是登入系統, 使用 ac  -p 時間會累積統計, 但是如果這個使用者只是登入系統, 但是沒有操作指令, 他在  sa  -m 上面的 real time 會是 0.00  re
    • 換言之, 如果  sa  -m  發現 有某個使用 real time 一直上升,  可以判斷持續在執行某些動作
  • sa  -c 來找出耗費 cpu time 比較多的指令

最後來測試 lastcomm 指令

網路上找的 man page

# lastcomm  --help
Usage: lastcomm [-hpV] [-f file] [command] ... [user] ... [terminal] ...
      [--forwards] [--file <file>] [--strict-match] [--print-controls]
      [--user <name>] [--tty <name>] [--command <name>] [--debug]
      [--show-paging] [--version] [--help]

The system's default process accounting file is /var/log/account/pacct.

lastcomm 這個指令我倒是覺得還好
比較有感覺的應該是 後面加上指令名稱, 觀察哪些使用者有使用, 以及時間

# lastcomm  ls
ls                     root     pts/0      0.00 secs Sat Feb 24 13:09
ls                     root     pts/0      0.00 secs Sat Feb 24 13:09
ls                     root     pts/0      0.00 secs Sat Feb 24 13:08
ls                     max      pts/2      0.00 secs Sat Feb 24 12:49
ls                     max      pts/2      0.00 secs Sat Feb 24 12:49
ls                     max      pts/2      0.00 secs Sat Feb 24 12:49
ls                     ines     pts/1      0.00 secs Sat Feb 24 12:47

今天就先這樣了
~ enjoy it

Reference

沒有留言: