Skip to main content
Unix & Linux

Return to Question

Explain why lsof (or other polled solutions) will not work.
Source Link
Wayne Conrad
Wayne Conrad
  • 602
  • 1
  • 6
  • 15

A specific file on our production servers is being modified at apparently random times which do not appear to correlate with any log activity. We can't figure out what program is doing it, and there are many suspects. How can I find the culprit?

It is always the same file, at the same path, but on different servers and at different times. The boxes are managed by puppet, but the puppet logs show no activity at the time the file is modified.

What kernel hook, tool, or technique could help us find what process is modifying this file?

lsof is unsuitible for this, because the file is being opened, modified and closed very quickly. Any solution that relies upon polling (such as running lsof often) is no good.

  • OS: Debian testing
  • Kernels: Linux, 2.6.32 through 3.9, both 32 and 64-bit.

A specific file on our production servers is being modified at apparently random times which do not appear to correlate with any log activity. We can't figure out what program is doing it, and there are many suspects. How can I find the culprit?

It is always the same file, at the same path, but on different servers and at different times. The boxes are managed by puppet, but the puppet logs show no activity at the time the file is modified.

What kernel hook, tool, or technique could help us find what process is modifying this file?

  • OS: Debian testing
  • Kernels: Linux, 2.6.32 through 3.9, both 32 and 64-bit.

A specific file on our production servers is being modified at apparently random times which do not appear to correlate with any log activity. We can't figure out what program is doing it, and there are many suspects. How can I find the culprit?

It is always the same file, at the same path, but on different servers and at different times. The boxes are managed by puppet, but the puppet logs show no activity at the time the file is modified.

What kernel hook, tool, or technique could help us find what process is modifying this file?

lsof is unsuitible for this, because the file is being opened, modified and closed very quickly. Any solution that relies upon polling (such as running lsof often) is no good.

  • OS: Debian testing
  • Kernels: Linux, 2.6.32 through 3.9, both 32 and 64-bit.
Post Closed as "Duplicate" by Gilles 'SO- stop being evil', Anthon, slm, jasonwryan, Joseph R.
Tweeted twitter.com/#!/StackUnix/status/398116283281326081
More accurate title. Remove needless word.
Source Link
Wayne Conrad
Wayne Conrad
  • 602
  • 1
  • 6
  • 15

Find which programprocess is modifying a file

A specific file on our production servers is being modified at apparently random times which do not appear to correlate with any log activity. We can't figure out what program is doing it, and there are many suspects. How can I find the culprit?

It is always the same file, at the same path, but on different servers and at different times. The boxes are managed by puppet, but the puppet logs show no puppet activity at the time the file is modified.

What kernel hook, tool, or technique could help us find what process is modifying this file?

  • OS: Debian testing
  • Kernels: Linux, 2.6.32 through 3.9, both 32 and 64-bit.

Find which program is modifying a file

A specific file on our production servers is being modified at apparently random times which do not appear to correlate with any log activity. We can't figure out what program is doing it, and there are many suspects. How can I find the culprit?

It is always the same file, at the same path, but on different servers and at different times. The boxes are managed by puppet, but the puppet logs show no puppet activity at the time the file is modified.

What kernel hook, tool, or technique could help us find what process is modifying this file?

  • OS: Debian testing
  • Kernels: Linux, 2.6.32 through 3.9, both 32 and 64-bit.

Find which process is modifying a file

A specific file on our production servers is being modified at apparently random times which do not appear to correlate with any log activity. We can't figure out what program is doing it, and there are many suspects. How can I find the culprit?

It is always the same file, at the same path, but on different servers and at different times. The boxes are managed by puppet, but the puppet logs show no activity at the time the file is modified.

What kernel hook, tool, or technique could help us find what process is modifying this file?

  • OS: Debian testing
  • Kernels: Linux, 2.6.32 through 3.9, both 32 and 64-bit.
Source Link
Wayne Conrad
Wayne Conrad
  • 602
  • 1
  • 6
  • 15

Find which program is modifying a file

A specific file on our production servers is being modified at apparently random times which do not appear to correlate with any log activity. We can't figure out what program is doing it, and there are many suspects. How can I find the culprit?

It is always the same file, at the same path, but on different servers and at different times. The boxes are managed by puppet, but the puppet logs show no puppet activity at the time the file is modified.

What kernel hook, tool, or technique could help us find what process is modifying this file?

  • OS: Debian testing
  • Kernels: Linux, 2.6.32 through 3.9, both 32 and 64-bit.