ngingx.pid disappeared mysteriously. .
Is there any way to monitor this file for a period of time
Who operated on it?
習慣沉默2017-05-16 17:32:06
It seems to be more troublesome. The inotify mechanism provided after Linux 2.6.13 can monitor when files are deleted, but it may not be easy to obtain the deleter's information.
To go around a bit, write an unlink function, wrap the unlink system call, save the file name given by the call, the pid of the calling process and other information somewhere, and then replace the system's unlink function with the LD_PRELOAD mechanism of Linux. If the deleter does not statically link/assemble and directly calls unlink, the result should be visible.