DTrace script to trace processes entering vfs::vop_remove
dteske at FreeBSD.org
dteske at FreeBSD.org
Wed Dec 3 23:19:59 UTC 2014
Hi markj, list,
I wrote a script for $work to help me find out "who on Earth
keeps deleting files XYZ?" from a particular storage server.
Please find attached a copy of watch_vop_remove.d which
has the following sample output:
2014 Dec 3 11:58:52 rm[75596]: /tmp/foo
-+= 72846 0.0 -bash
\-+= 75589 0.0 /bin/bash /usr/home/support/bash_script
\-+= 75596 0.0 rm -f /tmp/foo
The above sample output was displayed when executing the following shell
script:
#!/bin/bash
touch /tmp/foo
rm -f /tmp/foo
The output format displayed for each vop_remove() call is as follows:
DATE process[PID]: PATH_TO_DELETE
-+= GPID UID.GID grandparent_process [arguments (up to 3)]
\-+= PPID UID.GID parent_process [arguments (up to 3)]
\-+= PID UID.GID process [arguments (up to 3)]
NB: Requires "kldload dtraceall" to be performed prior to execution
--
Cheers,
Devin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: watch_vop_remove.d
Type: application/octet-stream
Size: 16184 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-dtrace/attachments/20141203/3a1b7ace/attachment.obj>
More information about the freebsd-dtrace
mailing list