Unique process id (not pid) and accounting daemon

[Jilles Tjoelker]

On Mon, Jan 25, 2010 at 02:33:35AM +0300, cronfy wrote:
> I am trying to create an accounting daemon that would be more precise
> than usual BSD system accounting. It should read the whole process
> tree from time to time (say, every 10 seconds) and log changes in
> usage of CPU, I/O operations and memory per process. After daemon
> notices process exit, it should read /var/account/acct to get a last
> portion of accounting data and make a last entry for the process. Also
> daemon should read /var/account/acct to find information about
> processes that had been running between taking process tree snapshots.

> There is a problem: it is not always possible to link a process in a
> process tree against matching process in an accounting file. Only
> command name, user/group id  and start time will match, but:

>  * start time may change (i. e. after ntpdate);
>  * command name saved in /var/account/acct is 15 characters max
> (AC_COMM_LEN in sys/sys/acct.h), while command name in the process
> tree is 19 characters max (MAXCOMLEN in sys/sys/param.h).

> To ensure that process in the process tree and process in the
> accounting file are the same, I want to add unique process identifier
> (uint64_t) to 'proc' struct in sys/sys/proc.h and increment it for
> every process fork. I see it is possible to do this just before
> sx_sunlock() in fork1() in sys/kern/kern_fork.c. I'll have to add
> saving of this identifier in kern_acct.c, of course.

> This way I will be extremely easy to remember a process in the process
> tree and find a matching one in the accounting file after it finishes.

> Am I looking in a right direction or should I try some other way?
> Thanks in advance.

Have you looked at audit(4)?

-- 
Jilles Tjoelker