NAME
sac - system accounting.
SYNOPSIS
sac [-acdfFhilmoprtU] [-w [wtmp-list|-]] [-b H[:M[:S]]] [-s start] [-e
end] [-X[3|4]] [[-u] user-list] [-x [user-list]] [-T [tty-list]] [-H
[host-list]] [-I H[:M[:S]]] [-M hour-range[,...]] [-R
[portmaster/pattern-list]] [--seconds] [--hms] [--hm] [--hours]
[--round] [--longdate] [--help] [--version]
DESCRIPTION
Sac is a system administration utility, based on the original BSD ac
program, to read the wtmp log and produce more human readable system
usage information than provided by last. Several features not found in
the BSD version of this program have been added.
Sac produces five different types of output: Total usage in number of
login hours since wtmp was created (default), login usage per day (-d),
total usage per user (-p), usage per tty line (-t), simultaneous usage
(-U) and raw usage (-r), which prints everything sac knows about your
accounting file(s). The output of these six are modified by supplying
either the average (-a) option, the hourly profile (-h) option, the
login listing (-l) option, and/or the clipping (-c) option.
The -s and -e options are used to select the starting date and ending
date, respectively, to report on. The format for the date is one of:
+days (days since the beginning of the wtmp file) or -days (days before
the end of the wtmp file) or in standard date format: MM/DD/YY.
The -M option is used to select only specific hours in a day to perform
accounting on instead of all the hours in the day. The hour-range
format is: (0-23)[-(0-23)[,hour-range[,...]]]. The hour given applies
to the whole hour, so a range of "5-6" is a time range from 5am to
6:59:59am. This option is probably only useful to those ISP providers
that want to charge a different rate for specific time periods.
Selecting the average option for total usage, gives an average number
of login hours per day since the creation of the wtmp file. For the
daily option it prints the total # of logins for the day and the
average login time per login. For the per person display it displays
the total number of logins the user has made and the average amount of
time spent on each login. For the TTY option, it prints the total
number of logins on that TTY and the average amount of time for each
login.
Selecting the hourly profile option for total usage gives a visual
display of the percentage of login time spent per hour for all the
logins on the system. For the daily option it prints the same visual
display for each day. For the per person display it displays the
hourly breakdown of login time the user spends on the system (this can
be pretty interesting). For the TTY option it breaks down hourly usage
for each TTY.
Selecting the login listing option shows the logins and total time for
each individual login for the time period requested on each day, tty
line or person depending on the profile requested. Such output is
ready-made for use as a ISP billing back-end.
Selecting the -c option performs clipping on the amount of login time
being used. Multiple logins during the same time period will only
count once. As a side effect (possibly a bug) clipping will affect the
output of the average option, reporting only the number of logins that
uniquely apply to the total login time. Logins that fall totally within
the time span of other logins will be totally clipped out, as if they
did not occur.
If the optional user-list is given sac will only consider accounting
information from those users, discarding the rest. The -u option can
be used to precede the optional user-list. This option is useful to
terminate the -x, -T and -H options.
The -x option, has the reverse effect of the -u option, in that it
excludes the users specified from accounting. This is useful for
removing users that are on a lot, which skew average usage results.
The -T option performs accounting for only the optionally specified tty
lines listed. This is useful for determining modem usage, and who’s
been using them the most. The tty line may be given as a wildcard
pattern, using ‘*’, ‘?’, ‘[...]’ and ‘[^...]’ to easily select a given
set of tty lines (such as ttyC* to produce accounting on cyclades tty
lines). Wildcard patterns should escaped or quoted to avoid having the
shell process them.
The -H option performs accounting for only the optionally specified
hosts listed. Since a host-name can only be up to 16 characters long
in the wtmp file, only the first 16 characters of a given host-name
will be considered for purposes of matches. If a host-name given on
the command line does not contain any dots (.) or ends with a dot, it
is taken to be a substring and will match if the first part of the wtmp
host-name matches the substring. Like with tty lines, the hostname may
be given as a wildcard, using ‘*’, ‘?’, ‘[...]’ and ‘[^...]’ to easily
select a large number of hosts at once (such as *.indstate.*).
If an option word used in a -u, -x, -T or -H list begins with an ’@’
(at) sign, it denotes that the option word specifies a file which
contains a list of usernames, ttys or hostnames to be applied to the
specific option. The "include file" may contain comments which are
denoted by a ’#’ (pound) character at the beginning of a line, ala
shell scripts. If a word in an include file begins with an ’@’ as
well, it denotes another file is to be included.
The -f option makes sac perform accounting on both normal logins and
ftp logins. The -F option makes sac perform accounting on ftp logins,
normal logins are not considered. Sac is only guaranteed to work with
wu-ftpd (wu-archive FTP daemon) style of utmp entry for ftp logins,
denoted by a line of "ftp#####" where "#####" is the process ID of the
ftp process.
The time format for sac defaults to fractions of hours. Thus 1.5 hours
is 1 hour and 30 minutes. The output time format may be changed using
the command line options --seconds (seconds only), --hms
(hour:minute:second format), --hm (hour:minute format), --hours (hours
only format), and --round which rounds the time to the nearest minute
or hour instead of always rounding down.
OPTIONS
Sac understands the following command line switches:
--help Outputs a verbose usage listing.
--verbose
Prints alerts when sac encounters errors or other strange
phenomenon. In the case of a null wtmp entry (sometimes caused
by crackers covering their tracks) sac will print an approximate
time stamp with the alert.
--version
Outputs the version of sac.
-w [wtmp-list|-]
Select a different input file(s) instead of the default
(/var/log/wtmp). The accounting file type is determined by the
options used before -w is reached.
-d List login time per day instead of the default total time.
-p List login time per user instead of the default total time.
-t List login time per tty line instead of the default total time.
-U List simultaneous usage levels. Lists amount of time at each
usage level (number of ttys used simultaneously) and the number
of accountable hours (time * usage level) at each usage level.
-r Print almost everything that sac knows about your wtmp file.
Time is displayed in seconds. The Hourmask is a 24 bit field
representing which hours accounting was performed on (zero for
no mask used). The format is fairly obvious. Useful for use as
a back-end to some accounting package or for graphing usage.
Quite verbose.
-a Print average information.
-h Print hourly profile information.
-l Print login listing information.
-c Perform login "clipping". Multiple logins during the same time
period will only count once.
-I H[:M[:S]]
Ignore specific amount of login time for each user before
performing accounting. Only works with -p option.
--seconds
Display time in seconds.
--hms Display time in Hours:Minutes:Seconds format.
--hm Display time in Hours:Minutes format. Seconds are rounded off.
--hours
Display time in hours only format. Minutes and seconds are
rounded off.
--round
Round time displayed with "--hm" to the nearest minute, or to
the nearest hour with "--hours".
--longdate
Displays dates in long notation (weekday, month, day and four
digit year).
-o Read the wtmp file as if it were an old style BSD wtmp file (old
utmp format which does not use ut_type field). Programs such as
tacacs maintain a wtmp file which does not use all the fields.
-S Attempts to seek into wtmp to the day specified by the -s option
(-s MM/DD/YY). Not guaranteed to work. If the seek fails it
will attempt to rewind input to the beginning and continue
normally. Useful for seeing last days usage from a large wtmp
file.
-X[3] Read a wtmp file maintained by xtacacs, terminal server access
control software, versions 3.4 and 3.5.
-X4 Read a wtmp file maintained by xtacacs version 4.0.
-i Include hostname information when trying to determine logins and
logouts. This is useful for accurately parsing tacacs
accounting logs which merge accounting for multiple terminal
servers into the same log.
-R portmaster/pattern-list
Read and process the detail files maintained by the Radius
access control software for terminal servers. Sac will process
each detail file in /usr/adm/radacct/<portmaster-name>/detail
each in turn until all the detail files have been processed. If
no portmaster name is given, a detail file must be specified
with the ‘-w’ option. If a wildcard pattern is given, sac will
attempt to find all portmaster directories that match the
pattern located in the radacct directory. A detail file may be
specified with the ‘-w’ option in addition to the ‘-R’ option.
-D When processing radius logs, this option specifies that sac
should use the @hostname part of user@hostname for the hostname
field instead of portmasters hostname. Useful for -H filtering
when using radius logs.
-P Perform packet and octet accounting when reading from a detail
file that logs packet and octet information (i.e. Ascend
terminal servers).
-b hours[:minutes[:seconds]]
Consider only those utmp entries that fall within the last few
hours/minutes/seconds from the current time, disregarding the
rest. This option is useful for determining if someone has been
on in the last few hours.
-s start
Selects the starting date of the report.
-e end Selects the ending date of the report.
-M hour-range[,...]]
Select only specific hours in a day to perform accounting on
instead of all the hours in the day. The hour-range format is:
(0-23)[-(0-23)[,hour-range[,...]]]. The hour given applies to
the whole hour, so a range of "5-6" is a time range from 5am to
6:59:59am.
-f Perform ftp login accounting in addition to normal shell
accounting.
-F Perform ftp login accounting only.
-m Show minimum and maximum number of concurrent logins over the
total time span or per day/per user when used with the -d/-p
option.
-u user-list
Selects only those users to perform accounting on.
-x user-list
Selects those users to not perform accounting on.
-T tty-list
Selects those ttys to perform accounting on. Each tty specifier
may be a wildcard.
-H host-list
Selects those hosts to perform accounting on. Each host
specifier may be a wildcard.
FILES
/var/log/wtmp login database
/usr/adm/radacct/.../detail Radius accounting logs
AUTHOR
Steve Baker (ice@mama.indstate.edu)
BUGS
The documentation for wtmp is lacking. It’s not clear at all what all
gets put in wtmp or the significance of any of it.
The -o and -X options handle what is a login and a logout differently
than normally (because there is no ut_type field), making sac
incorrectly identify xterm log-outs as a login (xterm does not write a
"login" entry, only a "logout" entry that looks just like a login in
all respects save the contents of the ut_type field). It should also
be noted that last incorrectly handles xterm log-outs as well.
The -f or -F options should not be used with -o -X[3|4] or -R options,
as sac will default back to a normal utmp format, or ignore the -f or
-F directives depending on where they occur on the command line.
Using the -S option will cause sac to skip over accounting information
which may well apply to the days you are inspecting. The only sure way
to get all the accounting information is to start at the beginning or
at least a day before the start you are interested in.
The -m option does not accurately report true min/max usage when
inspecting more than one logfile if those logfiles overlap the same
time range.
The -U option may report incorrect amounts of time when compared to the
-t option. As yet I have no idea why.
Sac (probably) only handles changes in time logged in the wtmp file
made by netdate. Rdate does not log time changes.
Clipping can affect the output of the average option, as described
above. Radius accounting uses Acct-Session-Time to determine usage
when a stop record has no start record. Clipping will not function
correctly when there are missing start records.
The ut_addr field doesn’t seem to be consistently used by all programs,
so it cannot be used for exact host-name filtering. Even if it were,
it would be too much work for this lazy programmer anyway.
Radius detail logs suck. There is not one standard radius detail file
format. Sac is not guaranteed to work with your detail file. If you
suspect sacs’ output is not correct, please contact the author at the
e-mail address above.
Null usernames in radius detail logs are represented as "UNKNOWN" by
sac, which may be a valid username.
Too much accounting results in big brother... citizen.
SEE ALSO
ac(1), last(1), rawtmp(1), wtmp(5), netdate(8L)