I have created this small DTrace script to monitor the file access on a ZFS file system (it does not work on other File Systems). It uses one single argument, the file you are going to monitor. It will print the DATE access, the process using the file, the operation over the file (Read/Write/Delete), the USER, and the PID.
It will work everytime some process do something over the monitored file. It monitors writes, reads and the delete of the file. It will even work if the file is accessed through a soft link.
I created this script because one of our customers detected a rare behaviour over the /var/adm/messages file and they wanted to monitor this file access somehow.
An example of the usage:
./filemon_zfs.d /var/adm/messages DATE CMD R/W/D USER PID 2010 Mar 12 11:51:39 syslogd W 0 13385 2010 Mar 12 11:51:48 syslogd W 0 13385 2010 Mar 12 11:51:48 syslogd W 0 13385 ^C 2010 Mar 12 11:51:53 syslogd W 0 13385
And here is the code:
#!/usr/sbin/dtrace -s /* * * filemon_zfs.d - Monitors specific file access * Written using DTrace. * * * $Id: filemon_zfs.d 1 2010-03-12 14:16:26Z sergio $ * * USAGE: filemon_zfs.d * * eg, * ./filemon_zfs.d /var/adm/messages # Monitor access to /var/adm/messages * * Must be root or with DTrace role privilege * * NOTES: This script uses dtrace so it should work on Solaris or OpenSolaris * * THANKS: The students of a DTrace course for the idea * * COPYRIGHT: Copyright (c) 2008 Sergio Rodriguez de Guzman Martinez * * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at Docs/cddl1.txt * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * CDDL HEADER END * * Author: Sergio Rodriguez de Guzman [Madrid, Spain] * * 12-03-2010 Sergio Rodriguez de Guzman Created this. * * */ #pragma D option quiet BEGIN { printf ("%20s%20s%8s%10s%10s\n", "DATE", "CMD", "R/W/D", "USER", "PID"); } zfs_read:entry, zfs_getpage:entry { self->filepath = args[0]->v_path; } zfs_write:entry, zfs_putpage:entry { self->filepath = args[0]->v_path; } zfs_write:return, zfs_putpage:return / strstr(stringof(self->filepath), $1) != NULL / { printf("%20Y%20s%8s%10d%10d\n", walltimestamp, execname, "W", uid, pid); self->filepath = 0; } zfs_read:return, zfs_getpage:return / strstr(stringof(self->filepath), $1) != NULL / { printf("%20Y%20s%8s%10d%10d\n", walltimestamp, execname, "R", uid, pid); self->filepath = 0; } zfs_remove:entry { self->filepath = strjoin( stringof(args[0]->v_path), "/" ); self->filepath = strjoin( self->filepath, stringof(args[1]) ); } zfs_remove:return / strstr(stringof(self->filepath), $1) != NULL / { printf("%20Y%20s%8s%10d%10d\n", walltimestamp, execname, "D", uid, pid); }
Sergio.
Sphere: Related Content
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
Core Networks homepage
Oracle University
#1 by Sergio on August 19, 2010 - 17:02
Hace un par de meses estoy trabajando en un monitor de files sobre zfs, luego replico las acciones en un servidor de backup asi mantengo un backup minuto a minuto, el tema es que noto que hay perdida de logs, leyendo vi que pidia ser un tema de bufsize, switchrate, amplie los dos pero veo que en el servidor de origen se crean files/dirs pero no hay logs de los mismos, alguna idea/sugerencia?
Muchas gracias!
#2 by admin on September 3, 2010 - 13:40
¿Qué probes estás activando para la creación de directorios?
#3 by Rachmat Febrianto on October 11, 2010 - 04:16
Thanks for the Scripts…
#4 by Sergio on August 9, 2011 - 20:15
Finalmente resolvi el tema de los backups usnado zfs send y zfs recv, gracias igualmente!!