Hi All.
I currently use:
Apache/2.2.21
on:
2.6.32-279.9.1.el6.centos.plus.x86_64
CentOS release 6.3 (Final)
>From time to time (it happenes on different machines) I have a very high
load up to 100, and I see that there are up to 300/s writes to /var at the
same time. Apache restart solves the problem. I would like to know the
reason so I decided to use auditd.
I've used:
auditctl -w /var -p warx
And for example:
ausearch -f /var -i -ts 04/29/2013 23:00:00 -te 04/29/2013 23:01:00 -ua
11111 | grep 'syscall=open' | wc -l
gives me "5" but in my monitoring I see that there were up to 300 writes
per second to /var at the same moment (id 11111 - httpd) (I have verified
the writes with command line tools).
ausearch -f /var -i -ts 04/29/2013 23:00:00 -te 04/29/2013 23:01:00 | grep
'syscall=open' | wc -l
gives:
15
Thanks to auditd I know that the syscalls are performed on /var/tmp but why
is there such a difference in auditd output and writes measured in
operating system?
Do I use auditd wrong?
Best regards,
Rafal.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
