[Sussex] How do I enable auditing?

Karl E. Jorgensen karl at jorgensen.com
Fri Mar 11 10:34:50 UTC 2005


Hi!

On Wed, Mar 09, 2005 at 10:54:42AM -0000, Brendan Whelan wrote:
> A file literally called "/filename" is being re-opened and appended to
> every minute. The messages written relate to MySQL errors and don't
> emanate from my application. Someone suggested enabling "auditing" to
> find out more information and, hopefully, to track down the source. 

You don't necessarily have to switch on auditing to track this down -
there are another couple of avenues that you may want to persue first:

- repeated runs of "lsof" to see what has the file open. If you're lucky
  and run lsof while it has the file open then the culprit should show
  up. 
- It sounds like logging: if so then it can probably be configured. And
  configuration information is kept in /etc. So this might help:
    # find /etc -type f -print|xargs grep -l /filename
  if the file is mentioned in a config file, this should find it
- Change the permissions on the file so the culprit will start to spew
  out errors. Then follow the error messages.
- If the above doesn't work (presumably because it is root doing it):
  rename the file and create a directory in its place. Tryin to append
  to a directory will cause errors, which the culprit should start
  spewing out.
- replace the file with a fifo and have nothing reading from it. Then
  the culprit should hang - and lsof will be able to show you the
  (now hung) culprit trying to write to it. The culprit can me made to
  continue by reading from the fifo: cat < /filename > /dev/null

Of course, the above assumes that you don't get enough clues from the
text actually written to the file...

Hope this helps

-- 
Karl E. Jørgensen
karl at jorgensen.com   http://karl.jorgensen.com
==== Today's fortune:
"Indecision is the basis of flexibility"
-- button at a Science Fiction convention.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20050311/1057efcf/attachment.pgp 


More information about the Sussex mailing list