1exitsnoop(8)                System Manager's Manual               exitsnoop(8)
2
3
4

NAME

6       exitsnoop  -  Trace  all process termination (exit, fatal signal). Uses
7       Linux eBPF/bcc.
8

SYNOPSIS

10       exitsnoop  [-h]  [-t]   [--utc]   [-x]   [-p   PID]   [--label   LABEL]
11       [--per-thread]
12

DESCRIPTION

14       exitsnoop traces process termination, showing the command name and rea‐
15       son for termination, either an exit or a fatal signal.
16
17       It catches processes of all users, processes in containers, as well  as
18       processes that become zombie.
19
20       This  works  by  tracing the kernel sched_process_exit() function using
21       dynamic tracing, and will need updating to match any  changes  to  this
22       function.
23
24       Since this uses BPF, only the root user can use this tool.
25

REQUIREMENTS

27       CONFIG_BPF and bcc.
28

OPTIONS

30       -h     Print usage message.
31
32       -t     Include a timestamp column.
33
34       --utc  Include a timestamp column, use UTC timezone.
35
36       -x     Exclude successful exits, exit( 0 )
37
38       -p PID Trace this process ID only (filtered in-kernel).
39
40       --label LABEL
41              Label each line with LABEL (default 'exit') in first column (2nd
42              if timestamp is present).
43
44       --per-thread
45              Trace per thread termination
46

EXAMPLES

48       Trace all process termination
49              # exitsnoop
50
51       Trace all process termination, and include timestamps:
52              # exitsnoop -t
53
54       Exclude successful exits, only include non-zero exit  codes  and  fatal
55       signals:
56              # exitsnoop -x
57
58       Trace PID 181 only:
59              # exitsnoop -p 181
60
61       Label each output line with 'EXIT':
62              # exitsnoop --label EXIT
63
64       Trace per thread termination
65              # exitsnoop --per-thread
66

FIELDS

68       TIME-TZ
69              Time  of  process  termination  HH:MM:SS.sss  with milliseconds,
70              where TZ is the local time zone, 'UTC' with --utc option.
71
72       LABEL  The optional label if --label option is used.   This  is  useful
73              with  the  -t  option  for timestamps when the output of several
74              tracing tools is sorted into one combined output.
75
76       PCOMM  Process/command name.
77
78       PID    Process ID
79
80       PPID   The process ID of the process that will be notified of PID  ter‐
81              mination.
82
83       TID    Thread ID.
84
85       EXIT_CODE
86              The  exit  code for exit() or the signal number for a fatal sig‐
87              nal.
88

OVERHEAD

90       This traces the kernel sched_process_exit() function and prints  output
91       for each event.  As the rate of this is generally expected to be low (<
92       1000/s), the overhead is also expected to be negligible. If you have an
93       application  that has a high rate of process termination, then test and
94       understand overhead before use.
95

SOURCE

97       This is from bcc.
98
99              https://github.com/iovisor/bcc
100
101       Also look in the bcc distribution for a  companion  _examples.txt  file
102       containing example usage, output, and commentary for this tool.
103

OS

105       Linux
106

STABILITY

108       Unstable - in development.
109

AUTHOR

111       Arturo Martin-de-Nicolas
112

SEE ALSO

114       execsnoop(8)
115
116
117
118USER COMMANDS                     2019-05-28                      exitsnoop(8)
Impressum