Ubuntu
acct package

lastcomm parses acct log file incorrectly (breezy)

Bug #41685 reported by emtulla
8
Affects Status Importance Assigned to Milestone
acct (Debian)
Fix Released
Unknown
acct (Ubuntu)
Fix Released
Medium
Matt Zimmerman

Bug Description

On the i386 version of breezy on my server, the lastcomm command seems to misparse the acct log file. Everything except the process name looks correct, but the process names themselves in the lastcomm output are gibberish. In the non-human readable log file, you can clearly see the command names in plain-text, yet these are what it's somehow messing up when generating the output. This works properly on the i386 hoary server I run at home.

For example, these are the last lines I get from running lastcomm:
X? root ?? 0.00 secs Thu Jan 1 00:00
?? F 34816 ?? 0.00 secs Thu Jan 1 00:00
?? 34816 ?? 0.00 secs Thu Jan 1 00:00
?? 34816 ?? 0.00 secs Thu Jan 1 00:00
x? S 34816 ?? 0.00 secs Thu Jan 1 00:00
The rest of the output is similarly broken, with not a single correct process name.

and this is the current last chunk of the log file where we can clearly see "sh", "find", "cron" and others. (note that it may not match since it probably added to the log between the time I copied the former and latter):
sh^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^C^@^@^@^@^@^@^@^@^@^@^@^@^@^@B^L^@^@A^L^@^@~U^DPD^@^@@@^@^@^@^@<^F^@^@^@^@¦^@^@^@^@^@find^@^@^@^@^@^@^@^@^@^@^@^@^@^C^@^@^@^@^@^@^@^@^@^@^@^@^@^@D^L^@^@A^L^@^@~U^DPD^@^@@@^@^@^A^@^H^G^@^@^@^@~E^@^@^@^@^@xargs^@^@^@^@^@^@^@^@^@^@^@^B^C^@^@^@^@^@^@^@^@^@^@^@^@^@^@A^L^@^@@^L^@^@~U^DPD^@^@@@^@^@^@^@4 ^@^@^@^@K^A^@^@^@^@sh^@^@^@^@^@^@^@^@^@^@^@^@^@^@^A^C^@^@^@^@^@^@^@^@^@^@^@^@^@^@@^L^@^@^^^E^@^@~U^DPD^@^@@@^@^@^@^@ ^G^@^@^@^@D^@^@^@^@^@cron^@^@^@^@^@^@^@^@^@^@^@^@

See original description
Revision history for this message
In , Justin Pryzby (justinpryzby-users) wrote : gnu acct v3

Hello,

I was wondering if GNU acct accounting software is still maintained.
Linux kernel v2.6 has a link for patched accounting software which
supports "account format version 3", and I was wondering if there were
plans to integrate this support into mainline acct.

Thanks,
Justin

Revision history for this message
In , Ciaran O'Riordan (ciaran-member) wrote :

Hi Justin,

> I was wondering if GNU acct accounting software is still maintained.

GNU Acct is still maintained, but I am currently working on the EU software
patents directive, so I sadly have very little time for programming.

A Tim Schmielau emailed me recently to ask if his patch supporting the new
format could be merged into the official release. I hope to do this soon.

> Linux kernel v2.6 has a link for patched accounting software which
> supports "account format version 3", and I was wondering if there were
> plans to integrate this support into mainline acct.

Here's the patches Tim Schmielau pointed me to:
http://www.physik3.uni-rostock.de/tim/kernel/utils/acct/

If there's a different set of patches to do the same thing (make GNU Acct
work with the new format), please let me know.

--
Ciarán O'Riordan,
http://www.compsoc.com/~coriordan/
Have you signed up to help FSF Europe yet? http://www.fsfe.org/

Revision history for this message
In , Ralf Hildebrandt (ralf-hildebrandt) wrote : Identical bugs

merge 289648 327134

Revision history for this message
In , Daniel Baumann (daniel-baumann) wrote : Bug#327134: fixed in acct 6.3.99+6.4pre1-1
Download full text (3.2 KiB)

Source: acct
Source-Version: 6.3.99+6.4pre1-1

We believe that the bug you reported is fixed in the latest version of
acct, which is due to be installed in the Debian FTP archive:

acct_6.3.99+6.4pre1-1.diff.gz
  to pool/main/a/acct/acct_6.3.99+6.4pre1-1.diff.gz
acct_6.3.99+6.4pre1-1.dsc
  to pool/main/a/acct/acct_6.3.99+6.4pre1-1.dsc
acct_6.3.99+6.4pre1-1_i386.deb
  to pool/main/a/acct/acct_6.3.99+6.4pre1-1_i386.deb
acct_6.3.99+6.4pre1.orig.tar.gz
  to pool/main/a/acct/acct_6.3.99+6.4pre1.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <email address hidden> (supplier of updated acct package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 18 Mar 2006 18:38:00 +0100
Source: acct
Binary: acct
Architecture: source i386
Version: 6.3.99+6.4pre1-1
Distribution: unstable
Urgency: low
Maintainer: Daniel Baumann <email address hidden>
Changed-By: Daniel Baumann <email address hidden>
Description:
 acct - The GNU Accounting utilities for process and login accounting
Closes: 187538 208220 208939 212961 241243 282320 287291 289648 290052 291154 293837 303851 307597 314136 327134 331731 357362
Changes:
 acct (6.3.99+6.4pre1-1) unstable; urgency=low
 .
   * New maintainer (Closes: #357362).
   * New upstream release:
     - supporting v3 file format (Closes: #289648, #291154, #327134)
   * Redone debian directory:
     - added watch file.
     - corrected copyright file (Closes: #290052).
     - fixed debconf depends (Closes: #331731).
     - removed references to non-existing pacct in dump-acct.8 (Closes: #293837).
     - removed dpatches: one was merged upstream, manpages are broken-out, and
       /usr/bin/last ist removed after compilation (less intrusive).
     - added Czech debconf translation (Closes: #282320, #287291).
     - added Finnish debconf translation (Closes: #303851).
     - added Vietnamese debconf translation (Closes: #307597).
     - updated Dansk debconf translation (Closes: #241243).
     - updated German debconf translation (Closes: #314136).
   * Acknowledge NMU:
     - fixed gzipped logfile handling in cron.monthly
       (Closes: #187538, #208220, #212961).
     - adjusted logfile path for logger call in init.d (Closes: #208939).
Files:
 b926523358f5f4d9fbaa3848220e5fcc 624 admin optional acct_6.3.99+6.4pre1-1.dsc
 9703f591801c5bbded35c9739d04f81c 318624 admin optional acct_6.3.99+6.4pre1.orig.tar.gz
 e15afcba192b761cca746b416740e5b8 19531 admin optional acct_6.3.99+6.4pre1-1.diff.gz
 1654037bacdcea59b546f4881f4c541d 110704 admin optional acct_6.3.99+6.4pre1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEIyTdxa93SlhRC1oRAg6MAJ9iaO/...

Read more...

Revision history for this message
In , Daniel Baumann (daniel-baumann) wrote : Bug#289648: fixed in acct 6.3.99+6.4pre1-1
Download full text (3.2 KiB)

Source: acct
Source-Version: 6.3.99+6.4pre1-1

We believe that the bug you reported is fixed in the latest version of
acct, which is due to be installed in the Debian FTP archive:

acct_6.3.99+6.4pre1-1.diff.gz
  to pool/main/a/acct/acct_6.3.99+6.4pre1-1.diff.gz
acct_6.3.99+6.4pre1-1.dsc
  to pool/main/a/acct/acct_6.3.99+6.4pre1-1.dsc
acct_6.3.99+6.4pre1-1_i386.deb
  to pool/main/a/acct/acct_6.3.99+6.4pre1-1_i386.deb
acct_6.3.99+6.4pre1.orig.tar.gz
  to pool/main/a/acct/acct_6.3.99+6.4pre1.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <email address hidden> (supplier of updated acct package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 18 Mar 2006 18:38:00 +0100
Source: acct
Binary: acct
Architecture: source i386
Version: 6.3.99+6.4pre1-1
Distribution: unstable
Urgency: low
Maintainer: Daniel Baumann <email address hidden>
Changed-By: Daniel Baumann <email address hidden>
Description:
 acct - The GNU Accounting utilities for process and login accounting
Closes: 187538 208220 208939 212961 241243 282320 287291 289648 290052 291154 293837 303851 307597 314136 327134 331731 357362
Changes:
 acct (6.3.99+6.4pre1-1) unstable; urgency=low
 .
   * New maintainer (Closes: #357362).
   * New upstream release:
     - supporting v3 file format (Closes: #289648, #291154, #327134)
   * Redone debian directory:
     - added watch file.
     - corrected copyright file (Closes: #290052).
     - fixed debconf depends (Closes: #331731).
     - removed references to non-existing pacct in dump-acct.8 (Closes: #293837).
     - removed dpatches: one was merged upstream, manpages are broken-out, and
       /usr/bin/last ist removed after compilation (less intrusive).
     - added Czech debconf translation (Closes: #282320, #287291).
     - added Finnish debconf translation (Closes: #303851).
     - added Vietnamese debconf translation (Closes: #307597).
     - updated Dansk debconf translation (Closes: #241243).
     - updated German debconf translation (Closes: #314136).
   * Acknowledge NMU:
     - fixed gzipped logfile handling in cron.monthly
       (Closes: #187538, #208220, #212961).
     - adjusted logfile path for logger call in init.d (Closes: #208939).
Files:
 b926523358f5f4d9fbaa3848220e5fcc 624 admin optional acct_6.3.99+6.4pre1-1.dsc
 9703f591801c5bbded35c9739d04f81c 318624 admin optional acct_6.3.99+6.4pre1.orig.tar.gz
 e15afcba192b761cca746b416740e5b8 19531 admin optional acct_6.3.99+6.4pre1-1.diff.gz
 1654037bacdcea59b546f4881f4c541d 110704 admin optional acct_6.3.99+6.4pre1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEIyTdxa93SlhRC1oRAg6MAJ9iaO/...

Read more...

Revision history for this message
emtulla (emtulla) wrote :

On the i386 version of breezy on my server, the lastcomm command seems to misparse the acct log file. Everything except the process name looks correct, but the process names themselves in the lastcomm output are gibberish. In the non-human readable log file, you can clearly see the command names in plain-text, yet these are what it's somehow messing up when generating the output. This works properly on the i386 hoary server I run at home.

For example, these are the last lines I get from running lastcomm:
X? root ?? 0.00 secs Thu Jan 1 00:00
?? F 34816 ?? 0.00 secs Thu Jan 1 00:00
?? 34816 ?? 0.00 secs Thu Jan 1 00:00
?? 34816 ?? 0.00 secs Thu Jan 1 00:00
x? S 34816 ?? 0.00 secs Thu Jan 1 00:00
The rest of the output is similarly broken, with not a single correct process name.

and this is the current last chunk of the log file where we can clearly see "sh", "find", "cron" and others. (note that it may not match since it probably added to the log between the time I copied the former and latter):
sh^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^C^@^@^@^@^@^@^@^@^@^@^@^@^@^@B^L^@^@A^L^@^@~U^DPD^@^@@@^@^@^@^@<^F^@^@^@^@¦^@^@^@^@^@find^@^@^@^@^@^@^@^@^@^@^@^@^@^C^@^@^@^@^@^@^@^@^@^@^@^@^@^@D^L^@^@A^L^@^@~U^DPD^@^@@@^@^@^A^@^H^G^@^@^@^@~E^@^@^@^@^@xargs^@^@^@^@^@^@^@^@^@^@^@^B^C^@^@^@^@^@^@^@^@^@^@^@^@^@^@A^L^@^@@^L^@^@~U^DPD^@^@@@^@^@^@^@4 ^@^@^@^@K^A^@^@^@^@sh^@^@^@^@^@^@^@^@^@^@^@^@^@^@^A^C^@^@^@^@^@^@^@^@^@^@^@^@^@^@@^L^@^@^^^E^@^@~U^DPD^@^@@@^@^@^@^@ ^G^@^@^@^@D^@^@^@^@^@cron^@^@^@^@^@^@^@^@^@^@^@^@

Revision history for this message
Jamu Kakar (jkakar) wrote :

This same bug exists in the current dapper package: acct 6.3.5-39. The problem is fixed in upstream version 6.4-pre1.

Revision history for this message
emtulla (emtulla) wrote : Re: [Bug 41685] Re: lastcomm parses acct log file incorrectly (breezy)

Jamshed,

Thanks for the update. Will the fix eventually find
it's way into Breezy, or will I have to wait and
manually install the updated package at a later date
myself?

Thanks for the help!

-Eric

--- Jamshed Kakar <email address hidden> wrote:

> This same bug exists in the current dapper package:
> acct 6.3.5-39. The
> problem is fixed in upstream version 6.4-pre1.
>
> --
> lastcomm parses acct log file incorrectly (breezy)
> https://launchpad.net/bugs/41685
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Revision history for this message
Matt Zimmerman (mdz) wrote :

What seems to have happened is that the kernel interface changed incompatibly, and a newer acct is needed to support the new format. I've reviewed the changes in the upstream changelog, and there are few changes apart from adding support for multiple formats in order to correct this situation.

Excerpt from the documentation (excuse the texinfo markup):

@unnumberedsec Support for Multiple Accounting File Formats under Linux

The detailed format of the @code{acct} file written by the Linux kernel
varies depending on the kernel's version and configuration:
Linux kernels 2.6.7 and earlier write a v0 format @code{acct} file
which unfortunately cannot store user and group ids (@code{uid}/@code{gid})
larger than 65535.
Kernels 2.6.8 and later write the @code{acct} file in v1, v2 or v3 formats.
(v3 if @code{BSD_PROCESS_ACCT_V3} is selected in the kernel configuration,
otherwise v1 if on the m68k architecture or v2 everywhere else).

Since version 6.4 the GNU accounting utilities on Linux systems are
able to read all of the v0, v2 and v3 file formats (v1 is not supported).
Thus you do not need to worry about the details given above. You can even
read @code{acct} files where different records were written by differently
configured kernels (you can find out about the format of each entry by
using the @code{dump-acct} utility). In case you ever need to convert
an @code{acct} file to a different format, the @code{--raw} option of
@code{dump-acct} does that together with the new @code{--format} and
@code{--byteswap} options that determine format and byte order of the
output file.

Multiformat support under Linux is intended to be a temporary solution
to aid in switching to the v3 @code{acct} file format. So do not expect
GNU acct 6.5 to still contain Multiformat support. In a few years
time, when everybody uses the v3 format, the ability to read multiple
formats at runtime will probably be dropped again from the GNU accounting
utilities.
This does not, however, affect the ability to adapt to the @code{acct} file
format at compile time (when @code{./configure} is run). Even GNU acct 6.3.5
(that does not know about multiple file formats) will yield working binary
programs when compiled under a (as yet hypothetical) Linux kernel 2.6.31
that is only able to write the v3 format.

Revision history for this message
Matt Zimmerman (mdz) wrote :

I've imported acct 6.3.99+6.4pre1-1 from Debian which fixes this bug

Changed in acct:
assignee: nobody → mdz
status: Unconfirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.