I have a program which spawns several child processes.
I want to know which files this program and its children are creating, deleting, and modifying.
-
inotifywait
can tell me which files are being accessed, but cannot tell me which process is doing it. And I have to know where the files are being created in order to set up the monitor. -
auditctl
will let me log which processes modify a file, but, again, I have to know where the files are in order to set up logging. -
lsof
will tell me all of the files, but doesn't seem to be a good solution for real-time tracking.
Is there anything that will let me monitor a program's file manipulation without knowing a priori which files will be manipulated?
Best Answer
On Linux you can use
strace
to monitor these kind of events:On Solaris, you can use
dtrace
. Have a look at the DTraceToolkit toolopensnoop
, which is installed by default on Solaris 11 under/usr/dtrace/DTT/Bin/opensnoop
.