man.bsd.lv manual page server

Manual Page Search Parameters
ACCT(5) File Formats Manual ACCT(5)

acctexecution accounting file

#include <sys/types.h>
#include <sys/acct.h>

The kernel maintains the following acct information structure for all processes. If a process terminates, and accounting is enabled, the kernel calls the acct(2) function call to prepare and append the record to the accounting file. 
#define AC_COMM_LEN 16

/*
 * Accounting structure version 3 (current).
 * The first byte is always zero.
 * Time units are microseconds.
 */

struct acctv3 {
	uint8_t  ac_zero;		/* zero identifies new version */
	uint8_t  ac_version;		/* record version number */
	uint16_t ac_len;		/* record length */

	char	  ac_comm[AC_COMM_LEN];	/* command name */
	float	  ac_utime;		/* user time */
	float	  ac_stime;		/* system time */
	float	  ac_etime;		/* elapsed time */
	time_t	  ac_btime;		/* starting time */
	uid_t	  ac_uid;		/* user id */
	gid_t	  ac_gid;		/* group id */
	float	  ac_mem;		/* average memory usage */
	float	  ac_io;		/* count of IO blocks */
	__dev_t   ac_tty;		/* controlling tty */

	uint16_t ac_len2;		/* record length */
	union {
		uint32_t  ac_align;	/* force v1 compatible alignment */

#define	AFORK	0x01			/* forked but not exec'ed */
/* ASU is no longer supported */
#define	ASU	0x02			/* used super-user permissions */
#define	ACOMPAT	0x04			/* used compatibility mode */
#define	ACORE	0x08			/* dumped core */
#define	AXSIG	0x10			/* killed by a signal */
#define ANVER	0x20			/* new record version */

		uint8_t  ac_flag;	/* accounting flags */
	} ac_trailer;

#define ac_flagx ac_trailer.ac_flag
};

If a terminated process was created by an execve(2), the name of the executed file (at most ten characters of it) is saved in the field ac_comm and its status is saved by setting one of more of the following flags in ac_flag: AFORK, ACOMPAT, ACORE and ASIG. ASU is no longer supported. ANVER is always set in the above structure.

lastcomm(1), acct(2), execve(2), sa(8)

A acct file format appeared in Version 7 AT&T UNIX. The current record format was introduced on May 2007. It is backwards compatible with the previous format, which is still documented in <sys/acct.h> and supported by lastcomm(1) and sa(8).

February 13, 2017 FreeBSD-12.0