DTrace script for who exec'd a process

I was wondering what process was executing logadm on a test system so I wrote a simple dtrace one-liner:

dtrace -q -n 'proc:::exec { self->parent = execname;}' -n 'syscall::exec*:return /execname == "logadm"/ { printf("%Y %s execs %s\\n",walltimestamp,self->parent,curpsinfo->pr_psargs); }'

 Here is sample output:

2011 Mar 11 17:35:00 sh execs /usr/sbin/logadm

In this case, it turned out to be cron, but I also found the script useful to check if and when a process was called in other cases.  Actually, this example was not too useful, but I didn't want to show the actual bug that I was working on.  However, I ended up using that DTrace one-liner many times this week.

Comments:

Of course you need to change the execname == logadm to whatever process you want to track, or leave it out to track all processes.

Posted by Jeremy Uejio on March 11, 2011 at 09:55 AM PST #

Post a Comment:
Comments are closed for this entry.
About

uejio

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today