NXLog User Guide

109.2. Process Accounting (im_acct)

This module can be used to collect process accounting logs from a Linux or BSD kernel.

109.2.1. Configuration

The im_acct module accepts the following directives in addition to the common module directives.

AcctOff: This boolean directive specifes that accounting should be disabled when im_acct stops. If AcctOff is set to FALSE, accounting will not be disabled; events will continue to be written to the log file for NXLog to collect later. The default is FALSE.

AcctOn: This boolean directive specifies that accounting should be enabled when im_acct starts. If AcctOn is set to FALSE, accounting will not be enabled automatically. The default is TRUE.

File: This optional directive specifies the path where the kernel writes accounting data.

FileSizeLimit: NXLog will automatically truncate the log file when it reaches this size, specified as an integer in bytes (see Integer). The default is 1 MB.

109.2.2. Fields

The following fields are used by im_acct.

$raw_event (type: string): A string containing a list of key/value pairs from the event.

$CharactersTransferred (type: string): The characters transferred.

$Command (type: string): The first 16 characters of the command name.

$CompatFlag (type: boolean): Set to TRUE if a COMPAT flag is associated with the process event (used compatibility mode).

$CoreDumpedFlag (type: boolean): Set to TRUE if a CORE flag is associated with the process event (dumped core).

$EventTime (type: datetime): The process start time.

$ExitCode (type: integer): The process exit code.

$ForkFlag (type: boolean): Set to TRUE if a FORK flag is associated with the process event (has executed fork, but no exec).

$Group (type: string): The system group corresponding to the $GroupID.

$GroupID (type: integer): The group ID of the process.

$MajorPageFaults (type: string): The number of major page faults.

$MemoryUsage (type: integer): The average memory usage of the process (on BSD).
$MemoryUsage (type: string): The average memory usage of the process (on Linux).

$MinorPageFaults (type: string): The number of minor page faults.

$RealTime (type: string): The total elapsed time.

$RWBlocks (type: string): The number of blocks read or written.

$Severity (type: string): The severity name: INFO.

$SeverityValue (type: integer): The INFO severity level value: 2.

$SuFlag (type: boolean): Set to TRUE if a SU flag is associated with the process event (used superuser privileges).

$SysTime (type: string): The total system processing time elapsed.

$User (type: string): The system user corresponding to the $UserID.

$UserID (type: integer): The user ID of the process.

$UserTime (type: string): The total user processing time elapsed.

$XSIGFlag (type: boolean): Set to TRUE if an XSIG flag is associated with the process event (killed by a signal).

109.2.3. Examples

Example 539. Collecting Process Accounting Logs

With this configuration, the im_acct module will collect process accounting logs. Process accounting will be automatically enabled and configured to write logs to the file specified. NXLog will allow the file to grow to a maximum size of 10 MB before truncating it.

nxlog.conf


  1
2
3
4
5

  <Input acct>
    Module          im_acct
    File            '/var/log/acct.log'
    FileSizeLimit   10M
</Input>