Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There is in my CentOS 5.4 server a file which has been updated each 10 minutes or so. The file is "/var/log/sa/sa23".
Using the command "sar -f /var/log/sa/sa23" I can get stats about the server updated to the last 10 minutes. So, this file has a valid sar binary data on it.
The problem is I don't know which process is updating this file.
I couldn't find any process fired by cron/at which may explain this (find /var/spool/at -type f; find /var/spool/cron -type f), neither a process currently running (ps -ef | grep -i sa).
At times near to each 10 minutes I tried to use "lsof" to catch the process which is using the file, but it didn't return anything ("while /bin/true; do lsof /var/log/sa/sa23; done")
Searching for process with open files at /proc didn't help too, because this process don't keep the file open all the time (find /proc -type d -iname "fd" -exec ls -ltr {} \; | grep sa)
In fact, I want to change the resolution of stats returned by this hidden/mysterious sar data collector. 10 minutes is too much for a particular analysis I need to do. I want to change it for 3 seconds for a specific period of time.
The problem is the command "/usr/lib64/sa/sa1 1200 3" didn't work at all, may be because of this hidden/mysterious is already in place.
How to find which process is writing to /var/log/sa/sa23 ?
Alternatively, how to change it to capture data at 3 seconds during a specific period of time ?
sar is part of the systat package/service in CentOS/Redhat. Like smoker said, man sar
Sar is your friend, you really don't want to disable it, it helps you with all sorts of stuff.
Some things to do with sar.
Type "sar|less", and you'll see what type of load your system was under since midnight (if you want you can also specify previous days, man sar to find out more).
Type "sar -B|less" to see what your memory situation is, since midnight. If "majflts", major faults, is higher than few percent on a regular basis, you know you need more ram!
See, sar is your friend!
And for your more general question of who's writing to the file, lsof is another friend, it tells you which process has what files open. Again use less, there's a ton of output Once you're used to what it's showing you, use grep.
No problem.
I wasn't upset, just surprised that you didn't read it.
Too many posters want an exact answer, rather than read a page.
I'm glad you're fixed up.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.