Httpd Writes Much To /var? How To Audit It Properly?

Home » CentOS » Httpd Writes Much To /var? How To Audit It Properly?
CentOS No Comments

Hi All.

I currently use:
Apache/2.2.21
on:
2.6.32-279.9.1.el6.CentOS.plus.x86_64
CentOS release 6.3 (Final)

load up to 100, and I see that there are up to 300/s writes to /var at the same time. Apache restart solves the problem. I would like to know the reason so I decided to use auditd.

I’ve used:
auditctl -w /var -p warx And for example:

ausearch -f /var -i -ts 04/29/2013 23:00:00 -te 04/29/2013 23:01:00 -ua
11111 | grep ‘syscall=open’ | wc -l

gives me “5” but in my monitoring I see that there were up to 300 writes per second to /var at the same moment (id 11111 – httpd) (I have verified the writes with command line tools).

ausearch -f /var -i -ts 04/29/2013 23:00:00 -te 04/29/2013 23:01:00 | grep
‘syscall=open’ | wc -l

gives:

15

Thanks to auditd I know that the syscalls are performed on /var/tmp but why is there such a difference in auditd output and writes measured in operating system?

Do I use auditd wrong?

Best regards, Rafal.

LEAVE A COMMENT