[CentOS] httpd writes much to /var? How to audit it properly?
Rafał Radecki
radecki.rafal at gmail.comTue Apr 30 09:04:52 UTC 2013
- Previous message: [CentOS] Apache stops without evident cause
- Next message: [CentOS] CentOS Dojo at Phoenix, AZ on the 10th May 2013
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi All. I currently use: Apache/2.2.21 on: 2.6.32-279.9.1.el6.centos.plus.x86_64 CentOS release 6.3 (Final) >From time to time (it happenes on different machines) I have a very high load up to 100, and I see that there are up to 300/s writes to /var at the same time. Apache restart solves the problem. I would like to know the reason so I decided to use auditd. I've used: auditctl -w /var -p warx And for example: ausearch -f /var -i -ts 04/29/2013 23:00:00 -te 04/29/2013 23:01:00 -ua 11111 | grep 'syscall=open' | wc -l gives me "5" but in my monitoring I see that there were up to 300 writes per second to /var at the same moment (id 11111 - httpd) (I have verified the writes with command line tools). ausearch -f /var -i -ts 04/29/2013 23:00:00 -te 04/29/2013 23:01:00 | grep 'syscall=open' | wc -l gives: 15 Thanks to auditd I know that the syscalls are performed on /var/tmp but why is there such a difference in auditd output and writes measured in operating system? Do I use auditd wrong? Best regards, Rafal.
- Previous message: [CentOS] Apache stops without evident cause
- Next message: [CentOS] CentOS Dojo at Phoenix, AZ on the 10th May 2013
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list