0

I would like to see which program got a PID most frequently and second frequently in my system since the last reboot. If I run top now, I can see the PID column and the COMMAND column but only for system state at current moment. I'd like to dig up from some log or enable some log so whenever somethings gets a new PID with some COMMAND, I would like to add a row to a table, and analyze that table. For example:

 1 root 20 0 168424 10960 7820 S 0.0 0.1 0:02.78 systemd 2 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kthreadd 3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp 4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp 6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H-events_highpri 9 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq 10 root 20 0 0 0 0 S 0.0 0.0 0:02.26 ksoftirqd/0 11 root 20 0 0 0 0 I 0.0 0.0 0:31.57 rcu_sched

You can see that a few PIDs already exited (like 5, 7, 8). I'd like to record them all once they started. Is there a command or utility that does this?

Improve this question

1 Answer 1

Reset to default
0

Here is a native solution using auditd which uses the audit features built into the Linux kernel.

auditctl -a always,task # the one below should also work; pick one auditctl -a always,exit -F arch=b64 -S clone,fork,vfork,execve systemctl restart auditd # wait a while and use your computer

Alternatively, write audit's config file, enable the service and reboot

echo "-a always,task" > /etc/audit/rules.d/logpid.rules echo "-a always,exit -F arch=b64 -S clone,fork,vfork,execve" > /etc/audit/rules.d/logpid.rules systemctl enable auditd systemctl start auditd reboot

Then, after reboot, use for a while and check audit report:

aureport --start today --interpret --executable --summary # sort by execs the number of audit events aureport --start today --interpret --syscall --summary
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.