Man Linux: Main Page and Category List


       sac - system accounting.


       sac  [-acdfFhilmoprtU] [-w [wtmp-list|-]] [-b H[:M[:S]]] [-s start] [-e
       end] [-X[3|4]] [[-u] user-list] [-x [user-list]]  [-T  [tty-list]]  [-H
       [host-list]]     [-I     H[:M[:S]]]    [-M    hour-range[,...]]     [-R
       [portmaster/pattern-list]]   [--seconds]   [--hms]   [--hm]   [--hours]
       [--round] [--longdate] [--help] [--version]


       Sac  is  a  system administration utility, based on the original BSD ac
       program, to read the wtmp log and produce more  human  readable  system
       usage  information than provided by last. Several features not found in
       the BSD version of this program have been added.

       Sac produces five different types of output:  Total usage in number  of
       login hours since wtmp was created (default), login usage per day (-d),
       total usage per user (-p), usage per tty line (-t), simultaneous  usage
       (-U)  and  raw usage (-r), which prints everything sac knows about your
       accounting file(s). The output of these six are modified  by  supplying
       either  the  average  (-a)  option, the hourly profile (-h) option, the
       login listing (-l) option, and/or the clipping (-c) option.

       The -s and -e options are used to select the starting date  and  ending
       date,  respectively,  to  report on. The format for the date is one of:
       +days (days since the beginning of the wtmp file) or -days (days before
       the end of the wtmp file) or in standard date format: MM/DD/YY.

       The -M option is used to select only specific hours in a day to perform
       accounting on instead of all the hours  in  the  day.   The  hour-range
       format  is: (0-23)[-(0-23)[,hour-range[,...]]].  The hour given applies
       to the whole hour, so a range of "5-6" is a  time  range  from  5am  to
       6:59:59am.   This option is probably only useful to those ISP providers
       that want to charge a different rate for specific time periods.

       Selecting the average option for total usage, gives an  average  number
       of  login  hours  per day since the creation of the wtmp file.  For the
       daily option it prints the total #  of  logins  for  the  day  and  the
       average  login  time per login.  For the per person display it displays
       the total number of logins the user has made and the average amount  of
       time  spent  on  each  login.   For the TTY option, it prints the total
       number of logins on that TTY and the average amount of  time  for  each

       Selecting  the  hourly  profile  option  for total usage gives a visual
       display of the percentage of login time spent  per  hour  for  all  the
       logins  on  the system.  For the daily option it prints the same visual
       display for each day.  For the  per  person  display  it  displays  the
       hourly  breakdown of login time the user spends on the system (this can
       be pretty interesting).  For the TTY option it breaks down hourly usage
       for each TTY.

       Selecting  the login listing option shows the logins and total time for
       each individual login for the time period requested on  each  day,  tty
       line  or  person  depending  on  the profile requested.  Such output is
       ready-made for use as a ISP billing back-end.

       Selecting the -c option performs clipping on the amount of  login  time
       being  used.   Multiple  logins  during  the same time period will only
       count once.  As a side effect (possibly a bug) clipping will affect the
       output  of the average option, reporting only the number of logins that
       uniquely apply to the total login time. Logins that fall totally within
       the  time  span of other logins will be totally clipped out, as if they
       did not occur.

       If the optional user-list is given sac will  only  consider  accounting
       information  from  those users, discarding the rest.  The -u option can
       be used to precede the optional user-list.  This option  is  useful  to
       terminate the -x, -T and -H options.

       The  -x  option,  has  the  reverse effect of the -u option, in that it
       excludes the users specified  from  accounting.   This  is  useful  for
       removing users that are on a lot, which skew average usage results.

       The -T option performs accounting for only the optionally specified tty
       lines listed.  This is useful for determining modem  usage,  and  who’s
       been  using  them  the  most.   The tty line may be given as a wildcard
       pattern, using ‘*’, ‘?’, ‘[...]’ and ‘[^...]’ to easily select a  given
       set  of  tty lines (such as ttyC* to produce accounting on cyclades tty
       lines).  Wildcard patterns should escaped or quoted to avoid having the
       shell process them.

       The  -H  option  performs  accounting for only the optionally specified
       hosts listed.  Since a host-name can only be up to 16  characters  long
       in  the  wtmp  file,  only the first 16 characters of a given host-name
       will be considered for purposes of matches.  If a  host-name  given  on
       the  command  line does not contain any dots (.) or ends with a dot, it
       is taken to be a substring and will match if the first part of the wtmp
       host-name matches the substring.  Like with tty lines, the hostname may
       be given as a wildcard, using ‘*’, ‘?’, ‘[...]’ and ‘[^...]’ to  easily
       select a large number of hosts at once (such as *.indstate.*).

       If  an  option  word used in a -u, -x, -T or -H list begins with an ’@’
       (at) sign, it denotes that the  option  word  specifies  a  file  which
       contains  a  list  of usernames, ttys or hostnames to be applied to the
       specific option.  The "include file" may  contain  comments  which  are
       denoted  by  a  ’#’  (pound)  character at the beginning of a line, ala
       shell scripts.  If a word in an include file  begins  with  an  ’@’  as
       well, it denotes another file is to be included.

       The  -f  option  makes sac perform accounting on both normal logins and
       ftp logins. The -F option makes sac perform accounting on  ftp  logins,
       normal  logins are not considered.  Sac is only guaranteed to work with
       wu-ftpd (wu-archive FTP daemon) style of utmp  entry  for  ftp  logins,
       denoted  by a line of "ftp#####" where "#####" is the process ID of the
       ftp process.

       The time format for sac defaults to fractions of hours.  Thus 1.5 hours
       is  1 hour and 30 minutes.  The output time format may be changed using
       the   command   line   options   --seconds   (seconds   only),    --hms
       (hour:minute:second  format), --hm (hour:minute format), --hours (hours
       only format), and --round which rounds the time to the  nearest  minute
       or hour instead of always rounding down.


       Sac understands the following command line switches:

       --help Outputs a verbose usage listing.

              Prints  alerts  when  sac  encounters  errors  or  other strange
              phenomenon. In the case of a null wtmp entry  (sometimes  caused
              by crackers covering their tracks) sac will print an approximate
              time stamp with the alert.

              Outputs the version of sac.

       -w [wtmp-list|-]
              Select  a  different  input  file(s)  instead  of  the   default
              (/var/log/wtmp).   The accounting file type is determined by the
              options used before -w is reached.

       -d     List login time per day instead of the default total time.

       -p     List login time per user instead of the default total time.

       -t     List login time per tty line instead of the default total  time.

       -U     List  simultaneous  usage  levels.  Lists amount of time at each
              usage level (number of ttys used simultaneously) and the  number
              of accountable hours (time * usage level) at each usage level.

       -r     Print  almost  everything  that  sac knows about your wtmp file.
              Time is displayed in seconds.  The Hourmask is a  24  bit  field
              representing  which  hours accounting was performed on (zero for
              no mask used). The format is fairly obvious.  Useful for use  as
              a  back-end  to  some  accounting package or for graphing usage.
              Quite verbose.

       -a     Print average information.

       -h     Print hourly profile information.

       -l     Print login listing information.

       -c     Perform login "clipping".  Multiple logins during the same  time
              period will only count once.

       -I H[:M[:S]]
              Ignore  specific  amount  of  login  time  for  each user before
              performing accounting.  Only works with -p option.

              Display time in seconds.

       --hms  Display time in Hours:Minutes:Seconds format.

       --hm   Display time in Hours:Minutes format.  Seconds are rounded  off.

              Display  time  in  hours  only  format.  Minutes and seconds are
              rounded off.

              Round time displayed with "--hm" to the nearest  minute,  or  to
              the nearest hour with "--hours".

              Displays  dates  in  long notation (weekday, month, day and four
              digit year).

       -o     Read the wtmp file as if it were an old style BSD wtmp file (old
              utmp format which does not use ut_type field).  Programs such as
              tacacs maintain a wtmp file which does not use all the fields.

       -S     Attempts to seek into wtmp to the day specified by the -s option
              (-s  MM/DD/YY).  Not  guaranteed  to work.  If the seek fails it
              will attempt to rewind  input  to  the  beginning  and  continue
              normally.   Useful  for seeing last days usage from a large wtmp

       -X[3]  Read a wtmp file maintained by xtacacs, terminal  server  access
              control software, versions 3.4 and 3.5.

       -X4    Read a wtmp file maintained by xtacacs version 4.0.

       -i     Include hostname information when trying to determine logins and
              logouts.   This  is  useful  for   accurately   parsing   tacacs
              accounting  logs  which  merge  accounting for multiple terminal
              servers into the same log.

       -R portmaster/pattern-list
              Read and process the  detail  files  maintained  by  the  Radius
              access  control software for terminal servers.  Sac will process
              each detail  file  in  /usr/adm/radacct/<portmaster-name>/detail
              each in turn until all the detail files have been processed.  If
              no portmaster name is given, a detail  file  must  be  specified
              with  the  ‘-w’ option. If a wildcard pattern is given, sac will
              attempt to  find  all  portmaster  directories  that  match  the
              pattern  located  in the radacct directory. A detail file may be
              specified with the ‘-w’ option in addition to the ‘-R’ option.

       -D     When processing radius logs,  this  option  specifies  that  sac
              should  use the @hostname part of user@hostname for the hostname
              field instead of portmasters hostname.  Useful for -H  filtering
              when using radius logs.

       -P     Perform  packet  and octet accounting when reading from a detail
              file  that  logs  packet  and  octet  information  (i.e.  Ascend
              terminal servers).

       -b hours[:minutes[:seconds]]
              Consider  only  those utmp entries that fall within the last few
              hours/minutes/seconds from the current  time,  disregarding  the
              rest.  This option is useful for determining if someone has been
              on in the last few hours.

       -s start
              Selects the starting date of the report.

       -e end Selects the ending date of the report.

       -M hour-range[,...]]
              Select only specific hours in a day  to  perform  accounting  on
              instead  of all the hours in the day.  The hour-range format is:
              (0-23)[-(0-23)[,hour-range[,...]]].  The hour given  applies  to
              the  whole hour, so a range of "5-6" is a time range from 5am to

       -f     Perform  ftp  login  accounting  in  addition  to  normal  shell

       -F     Perform ftp login accounting only.

       -m     Show  minimum  and  maximum number of concurrent logins over the
              total time span or per day/per user when  used  with  the  -d/-p

       -u user-list
              Selects only those users to perform accounting on.

       -x user-list
              Selects those users to not perform accounting on.

       -T tty-list
              Selects those ttys to perform accounting on.  Each tty specifier
              may be a wildcard.

       -H host-list
              Selects  those  hosts  to  perform  accounting  on.   Each  host
              specifier may be a wildcard.


       /var/log/wtmp                  login database
       /usr/adm/radacct/.../detail    Radius accounting logs


       Steve Baker (


       The  documentation  for wtmp is lacking. It’s not clear at all what all
       gets put in wtmp or the significance of any of it.

       The -o and -X options handle what is a login and a  logout  differently
       than   normally  (because  there  is  no  ut_type  field),  making  sac
       incorrectly identify xterm log-outs as a login (xterm does not write  a
       "login"  entry,  only  a "logout" entry that looks just like a login in
       all respects save the contents of the ut_type field).  It  should  also
       be noted that last incorrectly handles xterm log-outs as well.

       The  -f or -F options should not be used with -o -X[3|4] or -R options,
       as sac will default back to a normal utmp format, or ignore the  -f  or
       -F directives depending on where they occur on the command line.

       Using  the -S option will cause sac to skip over accounting information
       which may well apply to the days you are inspecting.  The only sure way
       to  get  all the accounting information is to start at the beginning or
       at least a day before the start you are interested in.

       The -m option does  not  accurately  report  true  min/max  usage  when
       inspecting  more  than  one  logfile if those logfiles overlap the same
       time range.

       The -U option may report incorrect amounts of time when compared to the
       -t option. As yet I have no idea why.

       Sac  (probably)  only  handles  changes in time logged in the wtmp file
       made by netdate. Rdate does not log time changes.

       Clipping can affect the output of  the  average  option,  as  described
       above.   Radius  accounting  uses  Acct-Session-Time to determine usage
       when a stop record has no start record.   Clipping  will  not  function
       correctly when there are missing start records.

       The ut_addr field doesn’t seem to be consistently used by all programs,
       so it cannot be used for exact host-name filtering.  Even if  it  were,
       it would be too much work for this lazy programmer anyway.

       Radius  detail logs suck.  There is not one standard radius detail file
       format.  Sac is not guaranteed to work with your detail file.   If  you
       suspect  sacs’  output is not correct, please contact the author at the
       e-mail address above.

       Null usernames in radius detail logs are represented  as  "UNKNOWN"  by
       sac, which may be a valid username.

       Too much accounting results in big brother... citizen.


       ac(1), last(1), rawtmp(1), wtmp(5), netdate(8L)