Process Accounting (im_acct)
This module can be used to collect process accounting logs from a Linux or BSD kernel.
To examine the supported platforms, see the list of installer packages in the Available Modules chapter. |
Configuration
The im_acct module accepts the following directives in addition to the common module directives.
Required directives
The following directives are required for the module to start.
This boolean directive specifies that accounting should be disabled when im_acct stops.
If AcctOff is set to |
|
This boolean directive specifies that accounting should be enabled when im_acct starts.
If AcctOn is set to |
|
NXLog will automatically truncate the log file when it reaches this size, specified as an integer in bytes (see Integer). The default is 1 MB. |
Fields
The following fields are used by im_acct.
$raw_event
(type: string)-
A list of event fields in key-value pairs.
$CharactersTransferred
(type: string)-
The characters transferred.
$Command
(type: string)-
The first 16 characters of the command name.
$CompatFlag
(type: boolean)-
Set to TRUE if a
COMPAT
flag is associated with the process event (used compatibility mode).
$CoreDumpedFlag
(type: boolean)-
Set to TRUE if a
CORE
flag is associated with the process event (dumped core).
$EventTime
(type: datetime)-
The process start time.
$ExitCode
(type: integer)-
The process exit code.
$ForkFlag
(type: boolean)-
Set to TRUE if a
FORK
flag is associated with the process event (has executed fork, but no exec).
$GroupID
(type: integer)-
The group ID of the process.
$MajorPageFaults
(type: string)-
The number of major page faults.
$MinorPageFaults
(type: string)-
The number of minor page faults.
$RealTime
(type: string)-
The total elapsed time.
$RWBlocks
(type: string)-
The number of blocks read or written.
$Severity
(type: string)-
The severity name:
INFO
.
$SeverityValue
(type: integer)-
The INFO severity level value:
2
.
$SuFlag
(type: boolean)-
Set to TRUE if a
SU
flag is associated with the process event (used superuser privileges).
$SysTime
(type: string)-
The total system processing time elapsed.
$UserID
(type: integer)-
The user ID of the process.
$UserTime
(type: string)-
The total user processing time elapsed.
$XSIGFlag
(type: boolean)-
Set to TRUE if an
XSIG
flag is associated with the process event (killed by a signal).
Examples
With this configuration, the im_acct module will collect process accounting logs. Process accounting will be automatically enabled and configured to write logs to the file specified. NXLog will allow the file to grow to a maximum size of 10 MB before truncating it.
<Input acct>
Module im_acct
File '/var/log/acct.log'
FileSizeLimit 10M
</Input>