Ubuntu Manpage: sac - system accounting.

NAME

       sac - system accounting.

SYNOPSIS

       sac  [-acdfFhilmoprtU]  [-w  [wtmp-list|-]] [-b H[:M[:S]]] [-s start] [-e end] [-X[3|4]] [[-u] user-list]
       [-x  [user-list]]  [-T  [tty-list]]  [-H  [host-list]]  [-I   H[:M[:S]]]   [-M   hour-range[,...]]    [-R
       [portmaster/pattern-list]]   [--seconds]   [--hms]   [--hm]  [--hours]  [--round]  [--longdate]  [--help]
       [--version]

DESCRIPTION

Sac is a system administration utility, based on the original BSD ac program, to read the wtmp log and
produce more human readable system usage information than provided by last. Several features not found in
the BSD version of this program have been added.

Sac produces five different types of output: Total usage in number of login hours since wtmp was created
(default), login usage per day (-d), total usage per user (-p), usage per tty line (-t), simultaneous
usage (-U) and raw usage (-r), which prints everything sac knows about your accounting file(s). The
output of these six are modified by supplying either the average (-a) option, the hourly profile (-h)
option, the login listing (-l) option, and/or the clipping (-c) option.

The -s and -e options are used to select the starting date and ending date, respectively, to report on.
The format for the date is one of: +days (days since the beginning of the wtmp file) or -days (days
before the end of the wtmp file) or in standard date format: MM/DD/YY.

The -M option is used to select only specific hours in a day to perform accounting on instead of all the
hours in the day. The hour-range format is: (0-23)[-(0-23)[,hour-range[,...]]]. The hour given applies
to the whole hour, so a range of "5-6" is a time range from 5am to 6:59:59am. This option is probably
only useful to those ISP providers that want to charge a different rate for specific time periods.

Selecting the average option for total usage, gives an average number of login hours per day since the
creation of the wtmp file. For the daily option it prints the total # of logins for the day and the
average login time per login. For the per person display it displays the total number of logins the user
has made and the average amount of time spent on each login. For the TTY option, it prints the total
number of logins on that TTY and the average amount of time for each login.

Selecting the hourly profile option for total usage gives a visual display of the percentage of login
time spent per hour for all the logins on the system. For the daily option it prints the same visual
display for each day. For the per person display it displays the hourly breakdown of login time the user
spends on the system (this can be pretty interesting). For the TTY option it breaks down hourly usage
for each TTY.

Selecting the login listing option shows the logins and total time for each individual login for the time
period requested on each day, tty line or person depending on the profile requested. Such output is
ready-made for use as a ISP billing back-end.

Selecting the -c option performs clipping on the amount of login time being used. Multiple logins during
the same time period will only count once. As a side effect (possibly a bug) clipping will affect the
output of the average option, reporting only the number of logins that uniquely apply to the total login
time. Logins that fall totally within the time span of other logins will be totally clipped out, as if
they did not occur.

If the optional user-list is given sac will only consider accounting information from those users,
discarding the rest. The -u option can be used to precede the optional user-list. This option is useful
to terminate the -x, -T and -H options.

The -x option, has the reverse effect of the -u option, in that it excludes the users specified from
accounting. This is useful for removing users that are on a lot, which skew average usage results.

The -T option performs accounting for only the optionally specified tty lines listed. This is useful for
determining modem usage, and who's been using them the most. The tty line may be given as a wildcard
pattern, using `*', `?', `[...]' and `[^...]' to easily select a given set of tty lines (such as ttyC* to
produce accounting on cyclades tty lines). Wildcard patterns should escaped or quoted to avoid having
the shell process them.

The -H option performs accounting for only the optionally specified hosts listed. Since a host-name can
only be up to 16 characters long in the wtmp file, only the first 16 characters of a given host-name will
be considered for purposes of matches. If a host-name given on the command line does not contain any
dots (.) or ends with a dot, it is taken to be a substring and will match if the first part of the wtmp
host-name matches the substring. Like with tty lines, the hostname may be given as a wildcard, using
`*', `?', `[...]' and `[^...]' to easily select a large number of hosts at once (such as *.indstate.*).

If an option word used in a -u, -x, -T or -H list begins with an '@' (at) sign, it denotes that the
option word specifies a file which contains a list of usernames, ttys or hostnames to be applied to the
specific option. The "include file" may contain comments which are denoted by a '#' (pound) character at
the beginning of a line, ala shell scripts. If a word in an include file begins with an '@' as well, it
denotes another file is to be included.

The -f option makes sac perform accounting on both normal logins and ftp logins. The -F option makes sac
perform accounting on ftp logins, normal logins are not considered. Sac is only guaranteed to work with
wu-ftpd (wu-archive FTP daemon) style of utmp entry for ftp logins, denoted by a line of "ftp#####" where
"#####" is the process ID of the ftp process.

The time format for sac defaults to fractions of hours. Thus 1.5 hours is 1 hour and 30 minutes. The
output time format may be changed using the command line options --seconds (seconds only), --hms
(hour:minute:second format), --hm (hour:minute format), --hours (hours only format), and --round which
rounds the time to the nearest minute or hour instead of always rounding down.

OPTIONS

Sac understands the following command line switches:

--help Outputs a verbose usage listing.

--verbose
Prints alerts when sac encounters errors or other strange phenomenon. In the case of a null wtmp
entry (sometimes caused by crackers covering their tracks) sac will print an approximate time
stamp with the alert.

--version
Outputs the version of sac.

-w [wtmp-list|-]
Select a different input file(s) instead of the default (/var/log/wtmp). The accounting file type
is determined by the options used before -w is reached.

-d List login time per day instead of the default total time.

-p List login time per user instead of the default total time.

-t List login time per tty line instead of the default total time.

-U List simultaneous usage levels. Lists amount of time at each usage level (number of ttys used
simultaneously) and the number of accountable hours (time * usage level) at each usage level.

-r Print almost everything that sac knows about your wtmp file. Time is displayed in seconds. The
Hourmask is a 24 bit field representing which hours accounting was performed on (zero for no mask
used). The format is fairly obvious. Useful for use as a back-end to some accounting package or
for graphing usage. Quite verbose.

-a Print average information.

-h Print hourly profile information.

-l Print login listing information.

-c Perform login "clipping". Multiple logins during the same time period will only count once.

-I H[:M[:S]]
Ignore specific amount of login time for each user before performing accounting. Only works with
-p option.

--seconds
Display time in seconds.

--hms Display time in Hours:Minutes:Seconds format.

--hm Display time in Hours:Minutes format. Seconds are rounded off.

--hours
Display time in hours only format. Minutes and seconds are rounded off.

--round
Round time displayed with "--hm" to the nearest minute, or to the nearest hour with "--hours".

--longdate
Displays dates in long notation (weekday, month, day and four digit year).

-o Read the wtmp file as if it were an old style BSD wtmp file (old utmp format which does not use
ut_type field). Programs such as tacacs maintain a wtmp file which does not use all the fields.

-S Attempts to seek into wtmp to the day specified by the -s option (-s MM/DD/YY). Not guaranteed to
work. If the seek fails it will attempt to rewind input to the beginning and continue normally.
Useful for seeing last days usage from a large wtmp file.

-X[3] Read a wtmp file maintained by xtacacs, terminal server access control software, versions 3.4 and
3.5.

-X4 Read a wtmp file maintained by xtacacs version 4.0.

-i Include hostname information when trying to determine logins and logouts. This is useful for
accurately parsing tacacs accounting logs which merge accounting for multiple terminal servers
into the same log.

-R portmaster/pattern-list
Read and process the detail files maintained by the Radius access control software for terminal
servers. Sac will process each detail file in /usr/adm/radacct/<portmaster-name>/detail each in
turn until all the detail files have been processed. If no portmaster name is given, a detail
file must be specified with the `-w' option. If a wildcard pattern is given, sac will attempt to
find all portmaster directories that match the pattern located in the radacct directory. A detail
file may be specified with the `-w' option in addition to the `-R' option.

-D When processing radius logs, this option specifies that sac should use the @hostname part of
user@hostname for the hostname field instead of portmasters hostname. Useful for -H filtering
when using radius logs.

-P Perform packet and octet accounting when reading from a detail file that logs packet and octet
information (i.e. Ascend terminal servers).

-b hours[:minutes[:seconds]]
Consider only those utmp entries that fall within the last few hours/minutes/seconds from the
current time, disregarding the rest. This option is useful for determining if someone has been on
in the last few hours.

-s start
Selects the starting date of the report.

-e end Selects the ending date of the report.

-M hour-range[,...]]
Select only specific hours in a day to perform accounting on instead of all the hours in the day.
The hour-range format is: (0-23)[-(0-23)[,hour-range[,...]]]. The hour given applies to the whole
hour, so a range of "5-6" is a time range from 5am to 6:59:59am.

-f Perform ftp login accounting in addition to normal shell accounting.

-F Perform ftp login accounting only.

-m Show minimum and maximum number of concurrent logins over the total time span or per day/per user
when used with the -d/-p option.

-u user-list
Selects only those users to perform accounting on.

-x user-list
Selects those users to not perform accounting on.

-T tty-list
Selects those ttys to perform accounting on. Each tty specifier may be a wildcard.

-H host-list
Selects those hosts to perform accounting on. Each host specifier may be a wildcard.

FILES

       /var/log/wtmp                  login database
       /usr/adm/radacct/.../detail    Radius accounting logs

AUTHOR

       Steve Baker (ice@mama.indstate.edu)

BUGS

The documentation for wtmp is lacking. It's not clear at all what all gets put in wtmp or the
significance of any of it.

The -o and -X options handle what is a login and a logout differently than normally (because there is no
ut_type field), making sac incorrectly identify xterm log-outs as a login (xterm does not write a "login"
entry, only a "logout" entry that looks just like a login in all respects save the contents of the
ut_type field). It should also be noted that last incorrectly handles xterm log-outs as well.

The -f or -F options should not be used with -o -X[3|4] or -R options, as sac will default back to a
normal utmp format, or ignore the -f or -F directives depending on where they occur on the command line.

Using the -S option will cause sac to skip over accounting information which may well apply to the days
you are inspecting. The only sure way to get all the accounting information is to start at the beginning
or at least a day before the start you are interested in.

The -m option does not accurately report true min/max usage when inspecting more than one logfile if
those logfiles overlap the same time range.

The -U option may report incorrect amounts of time when compared to the -t option. As yet I have no idea
why.

Sac (probably) only handles changes in time logged in the wtmp file made by netdate. Rdate does not log
time changes.

Clipping can affect the output of the average option, as described above. Radius accounting uses Acct-
Session-Time to determine usage when a stop record has no start record. Clipping will not function
correctly when there are missing start records.

The ut_addr field doesn't seem to be consistently used by all programs, so it cannot be used for exact
host-name filtering. Even if it were, it would be too much work for this lazy programmer anyway.

Radius detail logs suck. There is not one standard radius detail file format. Sac is not guaranteed to
work with your detail file. If you suspect sacs' output is not correct, please contact the author at the
e-mail address above.

Null usernames in radius detail logs are represented as "UNKNOWN" by sac, which may be a valid username.

Too much accounting results in big brother... citizen.