Logging of what ended a process?
System will end processes from time to time.
Yes, the Linux kernel can kill processes when there is a severe lack of memory (and swap!). The feature that does this is called "oomkiller" (out of memory killer) and detailed information is written to the kernel log about the process was killed. You can see that log with dmesg
and the syslog server is usually configured to write it to /var/log/kern.log
.
However, if your system is running so low on memory that this happens on a regular basis, that's usually considered a critical problem that should be addressed. There is no way to control which process the oomkiller will choose to kill, and it might very well kill important system processes from time to time, so you cannot really count on your system being fully stable after this has happened.
I would also like to log user that uses kill cmd
That information is not collected or logged by anything and is not available. About the best you might hope for is that someone ran sudo kill <something>
in which case sudo
(not kill
) will log the command. But normal users probably aren't using sudo
.
Related videos on Youtube
wez
Updated on September 18, 2022Comments
-
wez over 1 year
Due to the tight resources of the server, I suspect System will end processes from time to time. I want those events to be logged in a separate file for investigation.
How do I set that in syslog.conf? I would also like to log user that uses kill cmd to end process.
System is CentOS release 6.4 running with rsyslogd.
-
Gilles 'SO- stop being evil' over 9 yearsMost of your questions are covered in Where can I see a list of kernel killed processes? plus What did I just kill? plus Is there a log of past threads that are now closed?
-
-
Sreeraj over 9 years
-
Wildcard almost 7 years"I would also like to log user that uses kill cmd to end process." Actually, there are all kinds of things wrong with that question. Users can only kill their own processes, unless they have root permissions. Without root permissions, you know who killed any given process: it was either the process's owner, or it was root. If users use
sudo
then you have logging. But if users are logged in as root, then what do you mean by "log users that use the kill command"? You mean log which people use the kill command? But the kernel doesn't know about people, only about users.