Does Linux log when a process is started, and the PID that gets assigned to it? Where can I find that log?

linux ubuntu kernel

9,454

Solution 1

First of all your message already contains the program name:

kernel: [11.895392] init: failsafe main process (631) killed by TERM signal

This means that the program failsafe with the pid 631 received a TERM signal.

To answer your original question, no most Linux Distributions don't log the pids of created processes per default but you can use the audit framework and create the necessary rules to log all created processes. https://www.wzdftpd.net/docs/selinux/audit.html provides an introduction into these rules and should help you get started.

Solution 2

You could log newly executed commands/processes using Snoopy.

If you need simple logger and you are NOT looking for security/auditing solution, then Snoopy might be it.

Disclosure: Snoopy maintainer here.

9,454

harperville

Thirsty for knowledge. I have a fair amount of background in all things ISP and software development. I have worn many hats, including, but not limited to, Windows System Administrator, Linux System Administrator, Access Field Technician, Facilities Manager, Web Developer, Database Administrator, and just the go-to guy for IT problem solving. I'll find a way.

Updated on September 18, 2022

Comments

harperville over 1 year

When my Ubuntu server starts up, I see a message that says: kernel: [11.895392] init: failsafe main process (631) killed by TERM signal. I would like to know what process this is but I'm not sure where to look. When I search through my syslog and kernel.log, I don't see any evidence of processes starting and being given an identifier (PID).

I'd like to investigate my boot message (failsafe main process killed...) but first, I need to answer the question: When a process starts, where is that logged and does the PID that is assigned to it get logged as well?

I understand that a process will write a PID file to reference later as necessary, but once the process is killed, can I find out what PID it used to have?
- Janus Troelsen almost 12 years
  
  No, started processes are not logged. There are too many.
- Janus Troelsen almost 12 years
  
  You can't find the PID of killed processes.
- Janus Troelsen almost 12 years
  
  Only some processes have .pid files in /var/run.
- Renan almost 12 years
  
  Only daemons will have the PID files (because they need it).
- harperville almost 6 years
  
  @ciro you marked this as a duplicate? I posted this question in 2012. The one that is being linked to is from Oct 2014. Interesting logic.