Tuesday, March 8, 2016

linux: how to detect which application, command or pid deleted files

Sysdig is open source, system-level exploration: capture system state and activity from a running Linux instance, then save, filter and analyze.Sysdig is scriptable in Lua and includes a command line interface and a powerful interactive UI, csysdig, that runs in your terminal. Think of sysdig as strace + tcpdump + htop + iftop + lsof + awesome sauce.
With state of the art container visibility on top.

installation:
http://www.sysdig.org/install/





command:
sysdig -p '%12evt.type %12user.name %6proc.pid %12proc.name %12proc.args- %proc.cmdline --- %evt.args' '(evt.type=unlinkat or evt.type=unlink) and evt.args contains /usr/local/app/db'


https://github.com/draios/sysdig/wiki/Sysdig%20Chisel%20API%20Reference%20Manual

http://www.sysdig.org/wiki/sysdig-quick-reference-guide/

No comments:

Post a Comment