Jay Taylor's notes

back to listing index

linux - Find out which process is writing into a specific directory - Server Fault

[web search]
Original source (serverfault.com)
Tags: linux filesystem troubleshooting debugging system-audit serverfault.com
Clipped on: 2021-03-24

Image (Asset 2/9) alt= Questions
  • Tags
  • Users
  • Unanswered
  • Find a Job
  • Jobs
  • Companies
    1. Teams
      Stack Overflow for Teams – Collaborate and share knowledge with a private group. Image (Asset 3/9) alt=
      Create free Team
  • Asked 9 years, 6 months ago
    Viewed 30k times

    I have a directory /some/dir, and I see that new files appear there all the time. How do I find out which process is creating those files?

    Use kernel audit subsystem

    auditctl -w /some/dir/ -p war -k whatsgoingon

    That sets up a hook waiting for something happening under /some/dir/.

    Then make sure you have auditd daemon running. After that just wait until files appear and see from /var/log/auditd.log or wherever it in your system writes and read what happened and by what process.

    answered Sep 24 '11 at 10:07
    Image (Asset 5/9) alt=
    Thanks, this looks like it does exactly that, although it requires the audit tools installed which probably aren't everywhere by default. But ok, if one needs that information, they can always be installed. – homer5439 Sep 24 '11 at 10:19
  • As a note to people seeing this: you can't place watches on the top-level directories (prohibited by the kernel) – Tony Sepia Feb 1 '19 at 11:34
  • 1
    That's really an efficient way! Thanks a lot!!! BTW, when you're done, you can remove all the hooks to avoid writing the audit log forever by auditctl -D. You may use auditctl -l to list all hooks. – Robert Mar 27 '19 at 9:08
  • 20

    Try lsof +r2 | grep '/some/dir'. This will show processes accessing /some/dir and refresh every 2 seconds.

    answered Sep 24 '11 at 9:51
    Image (Asset 6/9) alt=
    Thaks, this is quite close to what I need, as it produces the whole list of open files first, then filters by /some/dir. However if processes create the files very quickly and don't keep them open, I understand that the above may miss some even. I think in that case the only option is the audit subsystem, right? – homer5439 Sep 24 '11 at 10:18
  • 1
    Your assumption is right. Another idea is to use inotifywait, see linux.die.net/man/1/inotifywait – weeheavy Sep 24 '11 at 11:30
  • thanks, I had considered inotify tools before, however I found that they work purely at the filesystem level and don't seem to be able to provide info about who did what. – homer5439 Sep 24 '11 at 11:41
  • 0

    lsof can help:

    # lsof -r1 /some/dir/*
    answered Sep 24 '11 at 9:52
    Image (Asset 7/9) alt=
    Thanks. Is it correct that the above command only tells me who is accessing existing files but doesn't show anything for newly created files? My understanding is that /some/dir/* expands to the list of files present at the time the command is invoked. – homer5439 Sep 24 '11 at 10:15

    Your Answer

    Thanks for contributing an answer to Server Fault!

    • Please be sure to answer the question. Provide details and share your research!

    But avoid

    • Asking for help, clarification, or responding to other answers.
    • Making statements based on opinion; back them up with references or personal experience.

    To learn more, see our tips on writing great answers.

    Community wiki

    Not the answer you're looking for? Browse other questions tagged or ask your own question.

    Hot Network Questions

    more hot questions

    site design / logo © 2021 Stack Exchange Inc; user contributions licensed under cc by-sa. rev 2021.3.24.38897