On 05/08/2019 13:44, John Horne wrote:
On Mon, 2019-08-05 at 13:06 +0100, Giles Coochey wrote:
On 05/08/2019 12:56, John Horne wrote:
I was going to say no to both of these, however the RPM package ('xymon') was itself updated at around the time mentioned on Aug 02. The hex number is equivalent to 1564754190 in decimal which, as an epoch time, is '2019-08-02 14:56:30'. So it might be possible that '/usr/sbin/xymond' was replaced and the hex number just indicates the time that occurred.
It might be explained that the file doesn't get deleted until its file handles are released?
The downside is that the package update was a bit earlier than 14:56 though, so the numbers don't seem to quite match up. Secondly, the whole xymon process was restarted, but the server itself not rebooted, so I would expect all the processes to be using the new executables rather than an older/deleted one. (I am a little loath to restart the service at the moment as I may well lose the info currently in '/proc/.../exe'.)
Did you upgrade xymon, or perhaps install it from a different maintainers RPM from the original one, or perhaps the original one wasn't an RPM install at all?
In these cases, the old running process in /proc/pid/exe is probably the original one, which the new install tried to restart / but because of a discrepancy in what is in /var/run it didn't quite work out as planned.
I think to truly understand this we might need more background information and a journal of what tasks were carried out.