I currently use:
CentOS release 6.3 (Final)
load up to 100, and I see that there are up to 300/s writes to /var at the same time. Apache restart solves the problem. I would like to know the reason so I decided to use auditd.
auditctl -w /var -p warx And for example:
ausearch -f /var -i -ts 04/29/2013 23:00:00 -te 04/29/2013 23:01:00 -ua
11111 | grep ‘syscall=open’ | wc -l
gives me “5” but in my monitoring I see that there were up to 300 writes per second to /var at the same moment (id 11111 – httpd) (I have verified the writes with command line tools).
ausearch -f /var -i -ts 04/29/2013 23:00:00 -te 04/29/2013 23:01:00 | grep
‘syscall=open’ | wc -l
Thanks to auditd I know that the syscalls are performed on /var/tmp but why is there such a difference in auditd output and writes measured in operating system?
Do I use auditd wrong?
Best regards, Rafal.