<div dir="ltr"><div><div><div><div><div>Hello!<br><br>If you have installed <a href="https://github.com/draios/sysdig/wiki/Sysdig%20User%20Guide"><span style="font-family:monospace,monospace">sysdig</span></a>, [<a href="https://www.sysdig.org/">https://www.sysdig.org/</a>] (a kind of <span style="font-family:monospace,monospace">strace </span>but for all the computer, not just for a only process) you can do commands like:<br><br></div> <span style="font-family:monospace,monospace">sysdig <a href="http://fd.name">fd.name</a> contains .gz <br></span><br></div>and it will show information about who is accessing any file that contains ".gz" in its name.<br><br><span style="font-family:monospace,monospace"><font size="2">root@veve0410:/home/oscar# <b>sysdig <a href="http://proc.name">proc.name</a>=nginx and <a href="http://fd.name">fd.name</a> contains access</b><br>2828 08:45:18.248862970 1 nginx (28325) > write fd=75(<f>/html/logs/nginx/produccion/portal/access.log) size=331<br>2829 08:45:18.248867711 1 nginx (28325) < write res=331 data=66.249.79.51 - - [27/Feb/2018:08:45:18 +0100] \"GET /diario/1991/04/10/internacio<br>15081 08:45:19.538002590 1 nginx (28325) > write fd=75(<f>/html/logs/nginx/produccion/portal/access.log) size=124<br>15082 08:45:19.538007576 1 nginx (28325) < write res=124 data=104.199.186.40 - - [27/Feb/2018:08:45:19 +0100] \"GET /elpais/portada_america.htm<br>19211 08:45:19.718872876 1 nginx (28325) > write fd=75(<f>/html/logs/nginx/produccion/portal/access.log) size=332<br>19212 08:45:19.718877388 1 nginx (28325) < write res=332 data=66.249.79.45 - - [27/Feb/2018:08:45:19 +0100] \"GET /diario/2005/08/23/catalunya/<br>22775 08:45:20.215718840 1 nginx (28325) > write fd=75(<f>/html/logs/nginx/produccion/portal/access.log) size=330<br>22776 08:45:20.215723447 1 nginx (28325) < write res=330 data=66.249.79.42 - - [27/Feb/2018:08:45:20 +0100] \"GET /diario/2009/05/23/babelia/12<br>^Croot@veve0410:/home/oscar#</font></span><br><br></div><span style="font-family:monospace,monospace">sysdig </span>can be a great help to watch what is happening in your linux computer.<br><br></div><div>Here you have other examples of what you can do with sysdig / csysdig (sorry, the explanations are in Spanish):<br></div><div>
<pre><font size="2"><code>csysdig # versión de tipo 'top', desde la que se puede activar la traza de cada proceso
sysdig -h # ayuda
sysdig -l
sysdig -cl # lista los chisels disponibles. Mira en /usr/share/sysdig/chisels/ los que vienen de serie. Mira en /usr/share/sysdig/chisels/ los que vienen de serie
sysdig -L # listar los eventos que se pueden capturar
sysdig "<a href="http://proc.name">proc.name</a>=httpd and evt.type=open and fd.num<0 and evt.dir =<" # comprobar errores al abrir ficheros
sysdig -c spy_ip 10.168.1.100 # Ver la conversación que tiene lugar con esa IP
# Si se hace desde un frontal, se ven las peticiones HTTP
# hechas por los navegadores y las respuestas del servidor
sudo sysdig -c echo_fds "<a href="http://fd.name">fd.name</a> not contains /dev/" # Mostrar accesos a ficheros, con cierto filtro adicional
sysdig <a href="http://fd.name">fd.name</a> contains sitemap # Vigilar accesos a ficheros de sitemaps
sysdig <a href="http://proc.name">proc.name</a>=httpd and proc.pid = 23216
sysdig proc.pid = 23216
sysdig proc.apid = 23216 # procesos cuyo padre sea el proceso de PID 23216
sysdig <a href="http://proc.name">proc.name</a>=httpd
sysdig -w apache-durante-atasco-nanosleep-al-recibir-SIGHUP.scap <a href="http://proc.name">proc.name</a>=httpd # está en /html/tmp de veve0223
sysdig -r apache-durante-atasco-nanosleep-al-recibir-SIGHUP.scap # reproducir las operaciones guardadas con -w
sysdig -p"%evt.time %<a href="http://evt.arg.name">evt.arg.name</a>" evt.type=open # mostrar el instante
sysdig -p"%evt.num %<a href="http://evt.arg.name">evt.arg.name</a>" evt.type=open # mostrar el numero; sirve para luego filtrar un rango por el numero
sysdig -r apache-durante-atasco-nanosleep-al-recibir-SIGHUP.scap -p"%evt.num %<a href="http://evt.arg.name">evt.arg.name</a>" evt.type=open # mostrar el numero
sysdig -r apache-durante-atasco-nanosleep-al-recibir-SIGHUP.scap "evt.num > 3362620" | less # ignorar eventos anteriores a uno dado
sysdig "not evt.type in ('select', 'switch', 'clock_gettime', 'rt_sigprocmask', 'ioctl')" # es posible que esto no funcione en los servidores, pero sí en mi portátil (versión más reciente)
sysdig <a href="http://proc.name">proc.name</a>=searchd and evt.type=recvfrom # para que se muestren las IPs y puertos que se conectan al daemon de búsqueda de Sphinx
sysdig -c lsof "fd.type=ipv4" # equivale a lsof -i que sirve para listar todas las conexiones de red,
# aunque con lsof veo que indica si es TCP o UDP. Para separar las que
# son TCP o UDP, tienes que ejecutar por separado los dos comandos siguientes
sysdig -c lsof "fd.l4proto=tcp" # Versión restringida a TCP del comando anterior, equivalente a lsof -i tcp
sysdig -c lsof "fd.l4proto=udp" # Versión restringida a UDP del comando anterior, equivalente a lsof -i udp
csysdig -v files # Ficheros a los que se va accediendo, con refresco de pantalla
csysdig -v file_opens # Ficheros a los que se va accediento, en modo lista acumulada</code></font></pre>
<br></div>Kind regards,<br></div>Oscar<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 27, 2018 at 3:32 AM, <a href="mailto:lists@lazygranch.com">lists@lazygranch.com</a> <span dir="ltr"><<a href="mailto:lists@lazygranch.com" target="_blank">lists@lazygranch.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, 23 Feb 2018 18:54:48 -0800<br>
"<a href="mailto:lists@lazygranch.com">lists@lazygranch.com</a>" <<a href="mailto:lists@lazygranch.com">lists@lazygranch.com</a>> wrote:<br>
<br>
> On Thu, 22 Feb 2018 18:40:12 -0800<br>
> "<a href="mailto:lists@lazygranch.com">lists@lazygranch.com</a>" <<a href="mailto:lists@lazygranch.com">lists@lazygranch.com</a>> wrote:<br>
><br>
> > When I was using FreeBSD, the access log was real time. Since I went<br>
> > to Centos, that doesn't seem to be the case. Is there some way to<br>
> > flush the buffer?<br>
> > ______________________________<wbr>_________________<br>
> > nginx mailing list<br>
> > <a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
> > <a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
><br>
> I found a flush=x option on the command line. I set it for 1m for<br>
> testing. Note that you need to specify a buffer size else nginx will<br>
> choke.<br>
><br>
> ______________________________<wbr>_________________<br>
<br>
</span>This flush=time option isn't working. I'm at a loss here.<br>
<br>
Here is some of a ls -l:<br>
-rw-r----- 1 nginx adm 12936 Feb 27 02:17 access.log<br>
-rw-r--r-- 1 nginx root 4760 Feb 24 03:06 access.log-20180224.gz<br>
-rw-r----- 1 nginx adm 1738667 Feb 26 03:21 access.log-20180226<br>
<br>
This is the ls -l on /var/log/nginx:<br>
drwxr-xr-x. 2 root root 4096 Feb 27 02:11 nginx<br>
<br>
I'm not requesting a compressed log, so I assume centos is creating the<br>
gunzip files. Usually the access.log file has content, but sometimes it<br>
is empty and the log data is on the access.log-"date" file, which I<br>
suspect is a roll over from access.log. That is maybe centos rolls it<br>
but doesn't zip it right away.<br>
<br>
<br>
http {<br>
log_format main '$status $remote_addr - $remote_user [$time_local] "$request" '<br>
'$body_bytes_sent "$http_referer" '<br>
'"$http_user_agent" "$http_x_forwarded_for"';<br>
access_log /var/log/nginx/access.log main buffer=32k flush=1m;<br>
<br>
<br>
uname -a<br>
Linux 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux<br>
<br>
nginx -V<br>
nginx version: nginx/1.12.2<br>
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)<br>
built with OpenSSL 1.0.2k-fips 26 Jan 2017<br>
TLS SNI support enabled<br>
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx<br>
--modules-path=/usr/lib64/<wbr>nginx/modules<br>
--conf-path=/etc/nginx/nginx.<wbr>conf<br>
--error-log-path=/var/log/<wbr>nginx/error.log<br>
--http-log-path=/var/log/<wbr>nginx/access.log --pid-path=/var/run/nginx.pid<br>
--lock-path=/var/run/nginx.<wbr>lock<br>
--http-client-body-temp-path=/<wbr>var/cache/nginx/client_temp<br>
--http-proxy-temp-path=/var/<wbr>cache/nginx/proxy_temp<br>
--http-fastcgi-temp-path=/var/<wbr>cache/nginx/fastcgi_temp<br>
--http-uwsgi-temp-path=/var/<wbr>cache/nginx/uwsgi_temp<br>
--http-scgi-temp-path=/var/<wbr>cache/nginx/scgi_temp --user=nginx<br>
--group=nginx --with-http_ssl_module --with-http_realip_module<br>
--with-http_addition_module --with-http_sub_module<br>
--with-http_dav_module --with-http_flv_module --with-http_mp4_module<br>
--with-http_gunzip_module --with-http_gzip_static_module<br>
--with-http_random_index_<wbr>module --with-http_secure_link_module<br>
--with-http_stub_status_module --with-http_auth_request_<wbr>module<br>
--with-http_xslt_module=<wbr>dynamic --with-http_image_filter_<wbr>module=dynamic<br>
--with-http_geoip_module=<wbr>dynamic --with-http_perl_module=<wbr>dynamic<br>
--add-dynamic-module=njs-<wbr>1c50334fbea6/nginx --with-threads<br>
--with-stream --with-stream_ssl_module --with-http_slice_module<br>
--with-mail --with-mail_ssl_module --with-file-aio --with-ipv6<br>
--with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall<br>
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong<br>
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'<br>
--with-ld-opt=-Wl,-E<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Oscar Fernandez Sierra<br><a href="mailto:oscaretu@gmail.com" target="_blank">oscaretu@gmail.com</a></div>
</div>