I found out something very interesting:

GNU acct tools (accton, lastcomm, etc) can support the V1/V2 format OR V3 format at any given time.

The Linode kernel has all 3 compiled in, so acct reverts to V1/V2 support (odd, I know). It should properly work if V1/V2 accounting support is disabled, and V3 left enabled, and then a recompile.

Or if V1/V2 is enabled and V3 is disabled, then it will also work, too.

Symptoms of it not working:

(?                      1024     ??         0.00 secs Wed Dec 31 19:00
??                      root     ??         0.00 secs Wed Dec 31 19:00
D?                      1024     ??         0.00 secs Wed Dec 31 19:00
@?                      1024     ??         0.00 secs Wed Dec 31 19:00
(?                      1024     ??         0.00 secs Wed Dec 31 19:00

The kernel I am using is 2.6.9-linode9.

Looks like V1/V2/V3 are all enabled in the Linode kernel:

# gzcat /proc/config.gz | grep ACCT
CONFIG_BSD_PROCESS_ACCT=y
CONFIG_BSD_PROCESS_ACCT_V3=y

Since I don't see an obvious way to turn on only V3 in the kernel, is there any way we could go back to the V1/V2 support by disabling only the V3 support in the kernel?

Or is there a V3-aware accounting tool other than GNU acct that can deal with 2.6 + V3?

I find process accounting useful; it's not as good as something like RBAC / BSM, obviously, but it's not bad as a starting point.

I've opened a ticket (#8360) on this, but posted comments here as well in hopes of seeing if there's some other tool that I didn't know, that might be able to handle it without disabling V3.

I can confirm that GNU acct works properly on my non-UML machine at home when V3 is disabled, on a 2.6.9-gentoo-r8 kernel:

ps                      root     stdin      0.01 secs Sun Dec 12 11:20
ls                      root     stdin      0.00 secs Sun Dec 12 11:20
accton                  root     stdin      0.00 secs Sun Dec 12 11:20 

Under Gentoo on a Linode running 2.6.9-linode9, here is how to reproduce this problem:

# emerge acct
# accton /var/account/pacct
# pwd && ls && ps
# lastcomm

For a non-Gentoo box, one can just fetch the source tarball for the current version, do a ./configure and then 'make && make install' then do the other commands after emerge.

http://ftp.debian.org/debian/pool/main/a/acct/acct_6.3.5.orig.tar.gz

-Dan

Some guy (Tim Schmielau, to be precise) was working on a version of acct that read all the formats. Had you seen it before? I haven't tried it myself.
It's at http://www.physik3.uni-rostock.de/tim/kernel/utils/acct/.

Ahh! Very nice. You are, of course, correct. Works great, thank you very much. (Tested it.)

Chris, if you see this, please cancel my request in ticket #8360. Thanks!

-Dan

Join me in pestering people to get it into mainstream acct, then!

Following up: I see it's now in ~x86, so I've selected that. Works great now with it integrated to Portage ebuild management.