Provided by: sac_1.9b5-3_amd64 bug

NAME

       sac - system accounting.

SYNOPSIS

       sac  [-acdfFhilmoprtU]  [-w  [wtmp-list|-]]  [-b  H[:M[:S]]] [-s start] [-e end] [-X[3|4]]
       [[-u] user-list] [-x [user-list]] [-T [tty-list]]  [-H  [host-list]]  [-I  H[:M[:S]]]  [-M
       hour-range[,...]]   [-R  [portmaster/pattern-list]]  [--seconds]  [--hms] [--hm] [--hours]
       [--round] [--longdate] [--help] [--version]

DESCRIPTION

       Sac is a system administration utility, based on the original BSD ac program, to read  the
       wtmp  log  and produce more human readable system usage information than provided by last.
       Several features not found in the BSD version of this program have been added.

       Sac produces five different types of output:  Total usage in number of login  hours  since
       wtmp was created (default), login usage per day (-d), total usage per user (-p), usage per
       tty line (-t), simultaneous usage (-U) and raw usage (-r),  which  prints  everything  sac
       knows  about  your  accounting  file(s). The output of these six are modified by supplying
       either the average (-a) option, the hourly profile (-h) option,  the  login  listing  (-l)
       option, and/or the clipping (-c) option.

       The  -s and -e options are used to select the starting date and ending date, respectively,
       to report on. The format for the date is one of: +days (days since the  beginning  of  the
       wtmp  file)  or  -days  (days before the end of the wtmp file) or in standard date format:
       MM/DD/YY.

       The -M option is used to select only specific hours in a  day  to  perform  accounting  on
       instead  of  all  the  hours  in the day.  The hour-range format is: (0-23)[-(0-23)[,hour-
       range[,...]]].  The hour given applies to the whole hour, so a range of "5-6"  is  a  time
       range  from  5am to 6:59:59am.  This option is probably only useful to those ISP providers
       that want to charge a different rate for specific time periods.

       Selecting the average option for total usage, gives an average number of login  hours  per
       day  since  the  creation of the wtmp file.  For the daily option it prints the total # of
       logins for the day and the average login time per login.  For the per  person  display  it
       displays the total number of logins the user has made and the average amount of time spent
       on each login.  For the TTY option, it prints the total number of logins on that  TTY  and
       the average amount of time for each login.

       Selecting  the  hourly  profile  option  for  total  usage  gives  a visual display of the
       percentage of login time spent per hour for all the logins on the system.  For  the  daily
       option  it  prints  the  same  visual display for each day.  For the per person display it
       displays the hourly breakdown of login time the user spends on the  system  (this  can  be
       pretty interesting).  For the TTY option it breaks down hourly usage for each TTY.

       Selecting  the  login  listing  option shows the logins and total time for each individual
       login for the time period requested on each day, tty  line  or  person  depending  on  the
       profile requested.  Such output is ready-made for use as a ISP billing back-end.

       Selecting  the  -c  option  performs  clipping  on  the  amount  of login time being used.
       Multiple logins during the same time period will  only  count  once.   As  a  side  effect
       (possibly a bug) clipping will affect the output of the average option, reporting only the
       number of logins that uniquely apply to the total login time.  Logins  that  fall  totally
       within  the  time  span  of  other  logins will be totally clipped out, as if they did not
       occur.

       If the optional user-list is given sac will  only  consider  accounting  information  from
       those users, discarding the rest.  The -u option can be used to precede the optional user-
       list.  This option is useful to terminate the -x, -T and -H options.

       The -x option, has the reverse effect of the -u option, in  that  it  excludes  the  users
       specified  from  accounting.   This  is useful for removing users that are on a lot, which
       skew average usage results.

       The -T option performs accounting for only the  optionally  specified  tty  lines  listed.
       This  is  useful for determining modem usage, and who's been using them the most.  The tty
       line may be given as a wildcard pattern, using `*', `?', `[...]' and  `[^...]'  to  easily
       select  a  given  set  of  tty  lines (such as ttyC* to produce accounting on cyclades tty
       lines).  Wildcard patterns should escaped or quoted to  avoid  having  the  shell  process
       them.

       The -H option performs accounting for only the optionally specified hosts listed.  Since a
       host-name can only be up to 16 characters long  in  the  wtmp  file,  only  the  first  16
       characters  of  a  given host-name will be considered for purposes of matches.  If a host-
       name given on the command line does not contain any dots (.) or ends with  a  dot,  it  is
       taken to be a substring and will match if the first part of the wtmp host-name matches the
       substring.  Like with tty lines, the hostname may be given as a wildcard, using `*',  `?',
       `[...]'  and  `[^...]'  to  easily  select  a  large  number  of  hosts  at  once (such as
       *.indstate.*).

       If an option word used in a -u, -x, -T or -H list begins with an '@' (at) sign, it denotes
       that  the  option  word  specifies  a  file  which  contains  a list of usernames, ttys or
       hostnames to be applied to the specific option.  The "include file" may  contain  comments
       which  are  denoted  by  a  '#'  (pound)  character  at the beginning of a line, ala shell
       scripts.  If a word in an include file begins with an '@' as well, it denotes another file
       is to be included.

       The  -f  option  makes sac perform accounting on both normal logins and ftp logins. The -F
       option makes sac perform accounting on ftp logins, normal logins are not considered.   Sac
       is  only  guaranteed  to work with wu-ftpd (wu-archive FTP daemon) style of utmp entry for
       ftp logins, denoted by a line of "ftp#####" where "#####" is the process  ID  of  the  ftp
       process.

       The  time  format for sac defaults to fractions of hours.  Thus 1.5 hours is 1 hour and 30
       minutes.  The output time format may be changed using the command line  options  --seconds
       (seconds  only),  --hms  (hour:minute:second  format),  --hm (hour:minute format), --hours
       (hours only format), and --round which rounds the time  to  the  nearest  minute  or  hour
       instead of always rounding down.

OPTIONS

       Sac understands the following command line switches:

       --help Outputs a verbose usage listing.

       --verbose
              Prints  alerts  when sac encounters errors or other strange phenomenon. In the case
              of a null wtmp entry (sometimes caused by crackers covering their tracks) sac  will
              print an approximate time stamp with the alert.

       --version
              Outputs the version of sac.

       -w [wtmp-list|-]
              Select  a  different  input  file(s)  instead  of the default (/var/log/wtmp).  The
              accounting file type is determined by the options used before -w is reached.

       -d     List login time per day instead of the default total time.

       -p     List login time per user instead of the default total time.

       -t     List login time per tty line instead of the default total time.

       -U     List simultaneous usage levels.  Lists amount of time at each usage  level  (number
              of  ttys  used  simultaneously)  and  the number of accountable hours (time * usage
              level) at each usage level.

       -r     Print almost everything that sac knows about your wtmp file. Time is  displayed  in
              seconds.   The  Hourmask  is a 24 bit field representing which hours accounting was
              performed on (zero for no mask used). The format is fairly obvious.  Useful for use
              as a back-end to some accounting package or for graphing usage. Quite verbose.

       -a     Print average information.

       -h     Print hourly profile information.

       -l     Print login listing information.

       -c     Perform  login  "clipping".   Multiple logins during the same time period will only
              count once.

       -I H[:M[:S]]
              Ignore specific amount of login time for each user  before  performing  accounting.
              Only works with -p option.

       --seconds
              Display time in seconds.

       --hms  Display time in Hours:Minutes:Seconds format.

       --hm   Display time in Hours:Minutes format.  Seconds are rounded off.

       --hours
              Display time in hours only format. Minutes and seconds are rounded off.

       --round
              Round time displayed with "--hm" to the nearest minute, or to the nearest hour with
              "--hours".

       --longdate
              Displays dates in long notation (weekday, month, day and four digit year).

       -o     Read the wtmp file as if it were an old style BSD wtmp file (old utmp format  which
              does  not  use  ut_type field).  Programs such as tacacs maintain a wtmp file which
              does not use all the fields.

       -S     Attempts to seek into wtmp to the day specified by the -s option (-s MM/DD/YY). Not
              guaranteed  to  work.   If  the  seek  fails it will attempt to rewind input to the
              beginning and continue normally.  Useful for seeing last days usage  from  a  large
              wtmp file.

       -X[3]  Read  a  wtmp  file maintained by xtacacs, terminal server access control software,
              versions 3.4 and 3.5.

       -X4    Read a wtmp file maintained by xtacacs version 4.0.

       -i     Include hostname information when trying to determine logins and logouts.  This  is
              useful  for  accurately  parsing  tacacs accounting logs which merge accounting for
              multiple terminal servers into the same log.

       -R portmaster/pattern-list
              Read and process the detail files maintained by the Radius access control  software
              for    terminal    servers.     Sac    will    process    each   detail   file   in
              /usr/adm/radacct/<portmaster-name>/detail each in turn until all the  detail  files
              have  been  processed.   If  no  portmaster  name  is  given, a detail file must be
              specified with the `-w' option. If a wildcard pattern is given, sac will attempt to
              find  all  portmaster  directories  that  match  the pattern located in the radacct
              directory. A detail file may be specified with the `-w' option in addition  to  the
              `-R' option.

       -D     When  processing  radius  logs,  this  option  specifies  that  sac  should use the
              @hostname part of user@hostname for  the  hostname  field  instead  of  portmasters
              hostname.  Useful for -H filtering when using radius logs.

       -P     Perform  packet  and  octet  accounting  when  reading from a detail file that logs
              packet and octet information (i.e. Ascend terminal servers).

       -b hours[:minutes[:seconds]]
              Consider   only   those   utmp   entries   that   fall   within   the   last    few
              hours/minutes/seconds from the current time, disregarding the rest.  This option is
              useful for determining if someone has been on in the last few hours.

       -s start
              Selects the starting date of the report.

       -e end Selects the ending date of the report.

       -M hour-range[,...]]
              Select only specific hours in a day to perform accounting on  instead  of  all  the
              hours  in  the  day.  The hour-range format is: (0-23)[-(0-23)[,hour-range[,...]]].
              The hour given applies to the whole hour, so a range of "5-6" is a time range  from
              5am to 6:59:59am.

       -f     Perform ftp login accounting in addition to normal shell accounting.

       -F     Perform ftp login accounting only.

       -m     Show  minimum  and  maximum number of concurrent logins over the total time span or
              per day/per user when used with the -d/-p option.

       -u user-list
              Selects only those users to perform accounting on.

       -x user-list
              Selects those users to not perform accounting on.

       -T tty-list
              Selects those ttys to perform accounting on.  Each tty specifier may be a wildcard.

       -H host-list
              Selects those hosts to perform  accounting  on.   Each  host  specifier  may  be  a
              wildcard.

FILES

       /var/log/wtmp                  login database
       /usr/adm/radacct/.../detail    Radius accounting logs

AUTHOR

       Steve Baker (ice@mama.indstate.edu)

BUGS

       The  documentation for wtmp is lacking. It's not clear at all what all gets put in wtmp or
       the significance of any of it.

       The -o and -X options handle what is a  login  and  a  logout  differently  than  normally
       (because  there  is no ut_type field), making sac incorrectly identify xterm log-outs as a
       login (xterm does not write a "login" entry, only a "logout" entry that looks just like  a
       login  in  all  respects save the contents of the ut_type field).  It should also be noted
       that last incorrectly handles xterm log-outs as well.

       The -f or -F options should not be used with -o -X[3|4] or -R options, as sac will default
       back  to  a  normal utmp format, or ignore the -f or -F directives depending on where they
       occur on the command line.

       Using the -S option will cause sac to skip over  accounting  information  which  may  well
       apply  to  the  days  you  are  inspecting.   The  only sure way to get all the accounting
       information is to start at the beginning or at least  a  day  before  the  start  you  are
       interested in.

       The  -m option does not accurately report true min/max usage when inspecting more than one
       logfile if those logfiles overlap the same time range.

       The -U option may report incorrect amounts of time when compared to the -t option. As  yet
       I have no idea why.

       Sac (probably) only handles changes in time logged in the wtmp file made by netdate. Rdate
       does not log time changes.

       Clipping can affect the  output  of  the  average  option,  as  described  above.   Radius
       accounting  uses  Acct-Session-Time  to  determine  usage  when a stop record has no start
       record.  Clipping will not function correctly when there are missing start records.

       The ut_addr field doesn't seem to be consistently used by all programs, so  it  cannot  be
       used  for  exact host-name filtering.  Even if it were, it would be too much work for this
       lazy programmer anyway.

       Radius detail logs suck.  There is not one standard radius detail file format.  Sac is not
       guaranteed  to  work  with  your detail file.  If you suspect sacs' output is not correct,
       please contact the author at the e-mail address above.

       Null usernames in radius detail logs are represented as "UNKNOWN" by sac, which may  be  a
       valid username.

       Too much accounting results in big brother... citizen.

SEE ALSO

       ac(1), last(1), rawtmp(1), wtmp(5), netdate(8L)