Monitor a program’s I/O

iomonitoring

I have a program which spawns several child processes.

I want to know which files this program and its children are creating, deleting, and modifying.

  • inotifywait can tell me which files are being accessed, but cannot tell me which process is doing it. And I have to know where the files are being created in order to set up the monitor.

  • auditctl will let me log which processes modify a file, but, again, I have to know where the files are in order to set up logging.

  • lsof will tell me all of the files, but doesn't seem to be a good solution for real-time tracking.

Is there anything that will let me monitor a program's file manipulation without knowing a priori which files will be manipulated?

Best Answer

On Linux you can use strace to monitor these kind of events:

strace -f -p <PID> -e trace=file

On Solaris, you can use dtrace. Have a look at the DTraceToolkit tool opensnoop, which is installed by default on Solaris 11 under /usr/dtrace/DTT/Bin/opensnoop.

/usr/dtrace/DTT/Bin/opensnoop -p <pid>
Related Question