iacctd
======

This daemon reads the data from the kernel and writes it to
a specified file. It must be running if you want to see any
of the accounting data.

iacctd can be called with the following options:

iacctd [-o] [-d] [-c cfgfilename]
iacctd -f filename
iacctd -u path-prefix

-o tells iacctd to do just one read-log cycle
-d tells iacctd to output the raw data read from the kernel (debug-mode)

If you call iacctd with either -o or -d it doesn't auto background
itself.

-c tells iacctd which configuration file to read. At the moment
all you can configure is which networks to exclude. The default file is
/etc/iaccttab.
The syntax of this file is simple. You can give one network to
exclude per line, the syntax is
ignorenet netnumber netmask
An example:
ignorenet 127.0.0.0 255.0.0.0

The option -f tells iacctd which file to append the accounting data to.

The option -u tells iacctd to log to seperate files for each user.
The filenames are generated by appending the numerical uid to
the path prefix given with -u. Note that this is a string only
operation.

A typical call to iacctd would be:
/usr/sbin/iacctd -f /var/adm/inet-accounting

This starts iacctd and tells it to append the accounting data
to /var/adm/inet-accounting

Another example is
/usr/sbin/iacctd -u /var/adm/inet-accounting/uid-

This will log traffic for root in /var/adm/inet-accounting/uid-0,
and so on for each uid.

To make automated splitting/moving of the logfiles possible while the
daemon is running the daemon creates a lockfile /var/lock/LCK..iacctd
whenever it writes output. When a lockfile exists the daemon will wait
until it goes away. So to move a logfile you should check for
the existence of the lockfile, create one if it doesn't exist (to
make it 100% reliable you should make this atomic with the check),
move the logfile and erase the lockfile again.

There is another facility provided: When the daemon receives a SIGTSTP
it suspends writing output until it receives a SIGCONT.

tuneacct
========

With this tool you can set what subnet to exclude from accounting.
You can also get the current settings.

The syntax is:
tuneacct set <addr> [mask <addr>]
tuneacct show

To exclude the network 193.97.238.0 from accounting, the appropriate call
would be:

tuneacct set 193.97.238.0

This is equivalent to

tuneacct set 193.97.238.0 mask 255.255.255.0

tuneacct tries to figure out your netmask automatically, but this
doesn' work in all cases (subnetting not on byte boundary etc).
In these cases you must specify your netmask by hand.

To get the current settings:

tuneacct show

iacct2rdbl
==========

This simple perl script converts the output of iacctd to a somewhat more
readable form.
It resolves hostnames etc.

Usage is quite simple, it works as a filter but you can also
give it names of files to process on the command line.

