109.2. Process Accounting (im_acct)
This module can be used to collect process accounting logs from a Linux or BSD kernel.
109.2.1. Configuration
The im_acct module accepts the following directives in addition to the common module directives.
- AcctOff
-
This boolean directive specifes that accounting should be disabled when im_acct stops. If AcctOff is set to FALSE, accounting will not be disabled; events will continue to be written to the log file for NXLog to collect later. The default is FALSE.
- AcctOn
-
This boolean directive specifies that accounting should be enabled when im_acct starts. If AcctOn is set to FALSE, accounting will not be enabled automatically. The default is TRUE.
- File
-
This optional directive specifies the path where the kernel writes accounting data.
- FileSizeLimit
-
NXLog will automatically truncate the log file when it reaches this size, specified as an integer in bytes (see Integer). The default is 1 MB.
109.2.2. Fields
The following fields are used by im_acct.
$raw_event
(type: string)-
A string containing a list of key/value pairs from the event.
$CharactersTransferred
(type: string)-
The characters transferred.
$Command
(type: string)-
The first 16 characters of the command name.
$CompatFlag
(type: boolean)-
Set to TRUE if a
COMPAT
flag is associated with the process event (used compatibility mode).
$CoreDumpedFlag
(type: boolean)-
Set to TRUE if a
CORE
flag is associated with the process event (dumped core).
$EventTime
(type: datetime)-
The process start time.
$ExitCode
(type: integer)-
The process exit code.
$ForkFlag
(type: boolean)-
Set to TRUE if a
FORK
flag is associated with the process event (has executed fork, but no exec).
$GroupID
(type: integer)-
The group ID of the process.
$MajorPageFaults
(type: string)-
The number of major page faults.
$MinorPageFaults
(type: string)-
The number of minor page faults.
$RealTime
(type: string)-
The total elapsed time.
$RWBlocks
(type: string)-
The number of blocks read or written.
$Severity
(type: string)-
The severity name:
INFO
.
$SeverityValue
(type: integer)-
The INFO severity level value:
2
.
$SuFlag
(type: boolean)-
Set to TRUE if a
SU
flag is associated with the process event (used superuser privileges).
$SysTime
(type: string)-
The total system processing time elapsed.
$UserID
(type: integer)-
The user ID of the process.
$UserTime
(type: string)-
The total user processing time elapsed.
$XSIGFlag
(type: boolean)-
Set to TRUE if an
XSIG
flag is associated with the process event (killed by a signal).
109.2.3. Examples
With this configuration, the im_acct module will collect process accounting logs. Process accounting will be automatically enabled and configured to write logs to the file specified. NXLog will allow the file to grow to a maximum size of 10 MB before truncating it.