NXLog Legacy Documentation

Process Accounting (im_acct)

This module can be used to collect process accounting logs from a Linux or BSD kernel.

To examine the supported platforms, see the list of installer packages in the Available Modules chapter.

Configuration

The im_acct module accepts the following directives in addition to the common module directives.

Required directives

The following directives are required for the module to start.

AcctOff

This boolean directive specifies that accounting should be disabled when im_acct stops. If AcctOff is set to FALSE, accounting will not be disabled; events will continue to be written to the log file for NXLog to collect later. The default is FALSE.

AcctOn

This boolean directive specifies that accounting should be enabled when im_acct starts. If AcctOn is set to FALSE, accounting will not be enabled automatically. The default is TRUE.

FileSizeLimit

NXLog will automatically truncate the log file when it reaches this size, specified as an integer in bytes (see Integer). The default is 1 MB.

Optional directives

File

This optional directive specifies the path where the kernel writes accounting data.

Fields

The following fields are used by im_acct.

$raw_event (type: string)

A list of event fields in key-value pairs.

$CharactersTransferred (type: string)

The characters transferred.

$Command (type: string)

The first 16 characters of the command name.

$CompatFlag (type: boolean)

Set to TRUE if a COMPAT flag is associated with the process event (used compatibility mode).

$CoreDumpedFlag (type: boolean)

Set to TRUE if a CORE flag is associated with the process event (dumped core).

$EventTime (type: datetime)

The process start time.

$ExitCode (type: integer)

The process exit code.

$ForkFlag (type: boolean)

Set to TRUE if a FORK flag is associated with the process event (has executed fork, but no exec).

$Group (type: string)

The system group corresponding to the $GroupID.

$GroupID (type: integer)

The group ID of the process.

$MajorPageFaults (type: string)

The number of major page faults.

$MemoryUsage (type: integer)

The average memory usage of the process (on BSD).

$MemoryUsage (type: string)

The average memory usage of the process (on Linux).

$MinorPageFaults (type: string)

The number of minor page faults.

$RealTime (type: string)

The total elapsed time.

$RWBlocks (type: string)

The number of blocks read or written.

$Severity (type: string)

The severity name: INFO.

$SeverityValue (type: integer)

The INFO severity level value: 2.

$SuFlag (type: boolean)

Set to TRUE if a SU flag is associated with the process event (used superuser privileges).

$SysTime (type: string)

The total system processing time elapsed.

$User (type: string)

The system user corresponding to the $UserID.

$UserID (type: integer)

The user ID of the process.

$UserTime (type: string)

The total user processing time elapsed.

$XSIGFlag (type: boolean)

Set to TRUE if an XSIG flag is associated with the process event (killed by a signal).

Examples

Example 1. Collecting Process Accounting Logs

With this configuration, the im_acct module will collect process accounting logs. Process accounting will be automatically enabled and configured to write logs to the file specified. NXLog will allow the file to grow to a maximum size of 10 MB before truncating it.

nxlog.conf
<Input acct>
    Module          im_acct
    File            '/var/log/acct.log'
    FileSizeLimit   10M
</Input>