[Sussex] How do I enable auditing?
Karl E. Jorgensen
karl at jorgensen.com
Fri Mar 11 10:34:50 UTC 2005
Hi!
On Wed, Mar 09, 2005 at 10:54:42AM -0000, Brendan Whelan wrote:
> A file literally called "/filename" is being re-opened and appended to
> every minute. The messages written relate to MySQL errors and don't
> emanate from my application. Someone suggested enabling "auditing" to
> find out more information and, hopefully, to track down the source.
You don't necessarily have to switch on auditing to track this down -
there are another couple of avenues that you may want to persue first:
- repeated runs of "lsof" to see what has the file open. If you're lucky
and run lsof while it has the file open then the culprit should show
up.
- It sounds like logging: if so then it can probably be configured. And
configuration information is kept in /etc. So this might help:
# find /etc -type f -print|xargs grep -l /filename
if the file is mentioned in a config file, this should find it
- Change the permissions on the file so the culprit will start to spew
out errors. Then follow the error messages.
- If the above doesn't work (presumably because it is root doing it):
rename the file and create a directory in its place. Tryin to append
to a directory will cause errors, which the culprit should start
spewing out.
- replace the file with a fifo and have nothing reading from it. Then
the culprit should hang - and lsof will be able to show you the
(now hung) culprit trying to write to it. The culprit can me made to
continue by reading from the fifo: cat < /filename > /dev/null
Of course, the above assumes that you don't get enough clues from the
text actually written to the file...
Hope this helps
--
Karl E. Jørgensen
karl at jorgensen.com http://karl.jorgensen.com
==== Today's fortune:
"Indecision is the basis of flexibility"
-- button at a Science Fiction convention.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20050311/1057efcf/attachment.pgp
More information about the Sussex
mailing list