How to track file lifetime using lsof?

Question

I have read article https://tailscale.com/blog/case-of-spiky-file-descriptors/ where author investigates anomalies with the amount of open file descriptors. He said that made snapshot of open files using lsof which allowed him to track lifetime of file:

01:12:17.24    tailcontr 142810 ubuntu  273u     IPv6   5725049    0t0     TCP 172.31.10.244:https->1.2.3.4:57666 (ESTABLISHED)
01:13:32.17    tailcontr 142810 ubuntu  273u     IPv6   5725049    0t0     TCP 172.31.10.244:https->1.2.3.4:57666 (CLOSE_WAIT)
01:14:03.22    tailcontr 142810 ubuntu  273u     sock       0,8    0t0 5725049 protocol: TCPv6
01:16:53.93    (socket is removed)

What flags should be used to track lifetime of file as given in the example above?

P.S: I want to investigate similar problem with TCPv6 connections. According to lsof -u <user> I have a lot of files looking like:

01:14:03.22    tailcontr 142810 ubuntu  273u     sock       0,8    0t0 5725049 protocol: TCPv6

And I want to understand where were these connections made to.

score 1 · Answer 1 · answered Feb 01 '23 at 11:06

In your case lsof will be not the exact tool. Better activate auditd and configure it to track creation and deletion of files. In /etc/audit.rules you can add something like

-w /path/to/file -p war -k fileops
-a always,exit -F dir=/path/to/ -S unlink -S unlinkat -S rename -S renameat  -k fileops

This will monitor read,write,append file operations. And delete (unlink) operations in the directory where the file is created.

The records later can be filtered by keyname fileops

How to track file lifetime using lsof?

1 Answers1