All geek questions in one place

How to determine which Daemon process is being written to a file

I need to define a daemon process that is periodically written to a log file. The problem is that I have no idea which process is doing this work, and I need to show some progress to the client tomorrow. Does anyone have a key?

I have already parsed daemon processes running on the system using PPID. Any help would be appreciated.

I also think that (perhaps rarely) for a daemon to not have a PPID like 1. How can we find out?

+4
source share
3 answers

Try running the fuser command in your log file, which will display the PIDs of the processes using it.

Example:

 $ fuser file.log file.log: 3065
+5
source

lsof gives a list of open process files. Therefore lsof | grep <filename> lsof | grep <filename> should help you.

+4
source

You can use auditctl.

 # sudo apt-get install auditd # sudo /sbin/auditctl -w /path/to/file -p war -k hosts-file -w watch /etc/hosts -p warx watch for write, attribute change, execute or read events -k hosts-file is a search key. # sudo /sbin/ausearch -f /path/to/file | more

Gives a conclusion, for example

type = UNKNOWN [1327] msg = audit (1459766547.822: 130): proctitle = 2F7573722F7362696E2F61706163686532002D6B007374617274 type = PATH msg = audit (1459766547.822: 130): item = 0 name = "/ path / to15 / 1661 00 mode = 0100444 ouid = 33 ogid = 33 rdev = 00: 00 nametype = NORMAL type = CWD msg = audit (1459766547.822: 130): cwd = "/" type = SYSCALL msg = audit (1459766547.822: 130): arch = c000003e syscall = 2 success = yes exit = 41 a0 = 7f3c23034cd0 a1 = 80,000 a2 = 1b6 a3 = 8 items = 1 ppid = 24452 pid = 6797 auid = 42949672 95 uid = 33 gid = 33 euid = 33 suid = 33 fsuid = 33 egid = 33 sgid = 33 fsgid = 33 tty = (none) ses = 4294967295 comm = "apache2" exe = "/ usr / sbin / apache2" key = "hosts file"

0
source

Source: https://habr.com/ru/post/1392496/

More articles:


All Articles