Suppose I specify a process (known process id), how do I monitor the creation and exit events of all recursive child processes of this process, including:
- When the child process was created
- The exit time of the child process
- The exit code of the child process
- The event that the child process is killed
I have already tried:
- bcc-tools: https://github.com/iovisor/bcc, it provides tools like execsnoop and exitsnoop, but it requires Linux 4.1 and above. Because the cluster I hold cannot easily upgrade the kernel (the current kernel is 3.10), so I gave up on this method
- perf-tools: https://github.com/brendangregg/perf-tools, it provides execsnoop works on Linux-3.10, but it does not provide the exitsnoop to monitor the exit events of process
- python watchdog to watch
/proc/pid/*: I tried to use Python watchdog to monitor the event of file change in/proc/{pid}/task/{pid}/children. I want to know if the process(with {pid}) creates a subprocess(with {sub_pid}) so that I can watch the file change of /proc/{sub_pid}/*. But I found that the Python watchdog is unable to detect file changes of/proc/{pid}/task/{pid}/children. - strace: strace has an impact on the performance of the monitored process, so I also gave up this method
So I wonder if there is any other way to monitor the process creation and exit events in Linux(3.10) without performance impact on the monitored process
