Hi Sebastian,
Yep. Kernel-land tools are the right ones, although acct(2) only works when the process calls exit(2).
Not quite (good that you mention it). The program gets logged, when the task is being removed from the task list in do_exit() inside the kernel. The actual reason why it died doesn't count (besides, there is a bug in the lastcomm(1) manpage: Not only SIGTERM causes that "X" in lastcomm's output!), since this reason is beyond the control of the userspace at this stage.
Programs killed with sigkill for example don't appear in the logs then.
This is a good reason for not trying this in user- and libraryspace.
# cd /var/account/
# touch pacct
# chmod 640 pacct
# accton pacct
# ls -la pacct
-rw-r----- 1 root root 64 Sep 18 14:08 pacct
# sleep 400 &
[1] 16390
# kill -9 16390
#
[1]+ Killed sleep 400
#
# lastcomm
sleep X root stdin 0.01 secs Tue Sep 18 14:08
ls root stdin 0.00 secs Tue Sep 18 14:08
accton S root stdin 0.00 secs Tue Sep 18 14:08
# accton
Roman.
--
- -
| Roman Drahtmüller