hiranp/log_process_writers.sh

## log_process_writers.sh
#!/bin/bash

# Get list of processes writing to /var using lsof
# https://serverfault.com/questions/315091/find-out-which-process-is-writing-into-a-specific-directory

# output_file="processes.csv"

# if [ ! -f "$output_file" ]; then
#   touch "$output_file"
# fi

# echo "PID,File,Size" >>$output_file

# # Get list of processes writing to /var
# processes=$(lsof +r2 | grep '/var' | awk '{print $2}' | sort -u)

# for pid in $processes; do

#   # Get list of files written to by process
#   files=$(ls -l /proc/"$pid"/fd | grep '/var' | awk '{print $11}')

#   for file in $files; do
#     size=$(du -sh "$file" 2>/dev/null | awk '{print $1}')
#     echo "$pid,$file,$size" >>$output_file
#   done

# done

# # Method 2 using find and fuser
# output_file="output.csv"
# echo "PID,File,Size" >$output_file

# while true; do
#   find /var -type f -execdir fuser {} 2>/dev/null | xargs -n1 -I {} echo {} | sort -u | while read pid; do
#     ls -l /proc/"$pid"/fd | grep '/var' | awk '{print $11}' | while read file; do
#       size=$(du -sh "$file" 2>/dev/null | awk '{print $1}')
#       echo "$pid,$file,$size" >>$output_file
#     done
#   done
#   sleep 2
# done

output_file="process_log.csv"
echo "PID,File,Size" >$output_file

# Function to get list of processes writing to /var using lsof
get_processes_lsof() {
  lsof +r2 | grep '/var' | awk '{print $2}' | sort -u
}

# Function to get list of processes writing to /var using find and fuser
get_processes_fuser() {
  find /var -type f -execdir fuser {} \; 2>/dev/null | xargs -n1 -I {} echo {} | sort -u
  find /var -type f -print0 | xargs -0 -n1 fuser 2>/dev/null | xargs -0 -n1 -I {} echo {} | sort -u
  find /var -type f -exec fuser {} + 2>/dev/null | xargs -n1 -I {} echo {} | sort -u
}

while true; do
  # Is lsof installed
  if command -v lsof &>/dev/null; then
    processes=$(get_processes_lsof)
  else
    processes=$(get_processes_fuser)
  fi

  for pid in $processes; do
    files=$(ls -l /proc/"$pid"/fd | grep '/var' | awk '{print $11}')

    for file in $files; do
      size=$(du -sh "$file" 2>/dev/null | awk '{print $1}')
      echo "$pid,$file,$size" >>$output_file
    done
  done

  sleep 3 # Repeat every 3s
done
	#!/bin/bash

	# Get list of processes writing to /var using lsof
	# https://serverfault.com/questions/315091/find-out-which-process-is-writing-into-a-specific-directory

	# output_file="processes.csv"

	# if [ ! -f "$output_file" ]; then
	# touch "$output_file"
	# fi

	# echo "PID,File,Size" >>$output_file

	# # Get list of processes writing to /var
	# processes=$(lsof +r2 \| grep '/var' \| awk '{print $2}' \| sort -u)

	# for pid in $processes; do

	# # Get list of files written to by process
	# files=$(ls -l /proc/"$pid"/fd \| grep '/var' \| awk '{print $11}')

	# for file in $files; do
	# size=$(du -sh "$file" 2>/dev/null \| awk '{print $1}')
	# echo "$pid,$file,$size" >>$output_file
	# done

	# done

	# # Method 2 using find and fuser
	# output_file="output.csv"
	# echo "PID,File,Size" >$output_file

	# while true; do
	# find /var -type f -execdir fuser {} 2>/dev/null \| xargs -n1 -I {} echo {} \| sort -u \| while read pid; do
	# ls -l /proc/"$pid"/fd \| grep '/var' \| awk '{print $11}' \| while read file; do
	# size=$(du -sh "$file" 2>/dev/null \| awk '{print $1}')
	# echo "$pid,$file,$size" >>$output_file
	# done
	# done
	# sleep 2
	# done

	output_file="process_log.csv"
	echo "PID,File,Size" >$output_file

	# Function to get list of processes writing to /var using lsof
	get_processes_lsof() {
	lsof +r2 \| grep '/var' \| awk '{print $2}' \| sort -u
	}

	# Function to get list of processes writing to /var using find and fuser
	get_processes_fuser() {
	find /var -type f -execdir fuser {} \; 2>/dev/null \| xargs -n1 -I {} echo {} \| sort -u
	find /var -type f -print0 \| xargs -0 -n1 fuser 2>/dev/null \| xargs -0 -n1 -I {} echo {} \| sort -u
	find /var -type f -exec fuser {} + 2>/dev/null \| xargs -n1 -I {} echo {} \| sort -u
	}

	while true; do
	# Is lsof installed
	if command -v lsof &>/dev/null; then
	processes=$(get_processes_lsof)
	else
	processes=$(get_processes_fuser)
	fi

	for pid in $processes; do
	files=$(ls -l /proc/"$pid"/fd \| grep '/var' \| awk '{print $11}')

	for file in $files; do
	size=$(du -sh "$file" 2>/dev/null \| awk '{print $1}')
	echo "$pid,$file,$size" >>$output_file
	done
	done

	sleep 3 # Repeat every 3s
	done