> Here is a sample struct acct:
>
> struct acct
> {
> char ac_comm[ACCT_COMM]; /* Accounting command name */
> time_t ac_utime; /* Accounting user time */
> time_t ac_stime; /* Accounting system time */
> time_t ac_etime; /* Accounting elapsed time */
> time_t ac_btime; /* Beginning time */
> uid_t ac_uid; /* Accounting user ID */
> gid_t ac_gid; /* Accounting group ID */
> dev_t ac_tty; /* controlling tty */
> char ac_flag; /* Accounting flag */
> unsigned long ac_minflt; /* Accounting minor pagefaults */
> unsigned long ac_majflt; /* Accounting major pagefaults */
> long ac_exitcode; /* Accounting process exitcode */
>
> int ac_pid; /* Accounting process ID */
> int ac_ppid; /* Accounting process parent ID */
> unsigned long ac_mmio; /* Accounting process I/O */
> };
You've forgotten two additions many people see as quite important...
1) Log number of swaps a process caused (current->nswap or something
equally as easy - all taken care of for you by memory subsystem).
2) Log size of process in memory.
I'm currently running on a 2.0 kernel I've hacked around myself that
incorporates both above logging capabilities in acct.h.
Chris.