1exitsnoop(8)                System Manager's Manual               exitsnoop(8)
2
3
4

NAME

6       exitsnoop  -  Trace  all process termination (exit, fatal signal). Uses
7       Linux eBPF/bcc.
8

SYNOPSIS

10       exitsnoop [-h] [-t] [--utc] [-x] [-p PID] [--label LABEL]
11

DESCRIPTION

13       exitsnoop traces process termination, showing the command name and rea‐
14       son for termination, either an exit or a fatal signal.
15
16       It  catches processes of all users, processes in containers, as well as
17       processes that become zombie.
18
19       This works by tracing the kernel  sched_process_exit()  function  using
20       dynamic  tracing,  and  will need updating to match any changes to this
21       function.
22
23       Since this uses BPF, only the root user can use this tool.
24

REQUIREMENTS

26       CONFIG_BPF and bcc.
27

OPTIONS

29       -h     Print usage message.
30
31       -t     Include a timestamp column.
32
33       --utc  Include a timestamp column, use UTC timezone.
34
35       -x     Exclude successful exits, exit( 0 )
36
37       -p PID Trace this process ID only (filtered in-kernel).
38
39       --label LABEL
40              Label each line with LABEL (default 'exit') in first column (2nd
41              if timestamp is present).
42

EXAMPLES

44       Trace all process termination
45              # exitsnoop
46
47       Trace all process termination, and include timestamps:
48              # exitsnoop -t
49
50       Exclude  successful  exits,  only include non-zero exit codes and fatal
51       signals:
52              # exitsnoop -x
53
54       Trace PID 181 only:
55              # exitsnoop -p 181
56
57       Label each output line with 'EXIT':
58              # exitsnoop --label EXIT
59

FIELDS

61       TIME-TZ
62              Time of  process  termination  HH:MM:SS.sss  with  milliseconds,
63              where TZ is the local time zone, 'UTC' with --utc option.
64
65       LABEL  The  optional  label  if --label option is used.  This is useful
66              with the -t option for timestamps when  the  output  of  several
67              tracing tools is sorted into one combined output.
68
69       PCOMM  Process/command name.
70
71       PID    Process ID
72
73       PPID   The  process ID of the process that will be notified of PID ter‐
74              mination.
75
76       TID    Thread ID.
77
78       EXIT_CODE
79              The exit code for exit() or the signal number for a  fatal  sig‐
80              nal.
81

OVERHEAD

83       This  traces the kernel sched_process_exit() function and prints output
84       for each event.  As the rate of this is generally expected to be low (<
85       1000/s), the overhead is also expected to be negligible. If you have an
86       application that has a high rate of process termination, then test  and
87       understand overhead before use.
88

SOURCE

90       This is from bcc.
91
92              https://github.com/iovisor/bcc
93
94       Also  look  in  the bcc distribution for a companion _examples.txt file
95       containing example usage, output, and commentary for this tool.
96

OS

98       Linux
99

STABILITY

101       Unstable - in development.
102

AUTHOR

104       Arturo Martin-de-Nicolas
105

SEE ALSO

107       execsnoop(8)
108
109
110
111USER COMMANDS                     2019-05-28                      exitsnoop(8)
Impressum