Daniel López Azaña

Language

English Español

Theme

Contact

daniloaz@gmail.com

Social Media

Blog

GNU/Linux, Open Source, Cloud Computing, DevOps and more...

Fatrace command: how to know in real time which processes are writing to a file

GNU/Linux , Tips & Tricks
fatrace command man page

It is usually easy to know which process or processes are writing to a given file in Linux, since we either know its origin and its nature beforehand (for example the Apache access_log), or we can easily find it out with the fuser or lsof commands. However, sometimes it will happen that although we know the role and purpose of a file, there are so many applications accesing it simultaneously that it is very difficult to know which of them is the one that reads/writes the most or does so in a precise moment. Knowing this would be very useful to learn for example why a log file is growing excessively or which application is making an abusive use of system resources , either by mistake or intentionally.

In order to get this information in Linux we have the fatrace command, which displays all file access events that occur within the whole system , giving us information about the file involved, the name and PID of the process responsible for that event and the event type, ie whether the file was opened, read, written or closed.

Normally the fatrace command will not be present in your system, but you can install it from your Linux distribution’s repositories as usual:

– Debian / Ubuntu:

$ sudo apt-get install fatrace

– Centos / Fedora / Red Hat:

$ sudo yum install -y fatrace

Once installed, you can see which processes read or write to a file in real time running the command like this:

$ sudo fatrace -f W | grep .xsession-errors
konsole(13009): W /home/daniloaz/.xsession-errors 
konsole(13009): W /home/daniloaz/.xsession-errors 
konsole(13009): W /home/daniloaz/.xsession-errors 
konsole(13009): W /home/daniloaz/.xsession-errors 
konsole(13009): W /home/daniloaz/.xsession-errors 
konsole(13009): W /home/daniloaz/.xsession-errors 
konsole(13009): W /home/daniloaz/.xsession-errors 
konsole(13009): W /home/daniloaz/.xsession-errors

In the example above you can see how the fatrace command displays lines that are repeated hundreds of times just by moving the mouse a bit, which is clearly indicating that the konsole process with PID 13009 has some kind of fault that is causing it to write inordinately to the .xsession-errors file. And this information was obtained while other processes kept writing simultaneously to the same file, which was our initial goal.

Linux Shell Linux Useful Commands

Share this article

X.com LinkedIn Facebook WhatsApp Email
Daniel López Azaña

About the author

Daniel López Azaña

Tech entrepreneur and cloud architect with over 20 years of experience transforming infrastructures and automating processes.

Specialist in AI/LLM integration, Rust and Python development, and AWS & GCP architecture. Restless mind, idea generator, and passionate about technological innovation and AI.

Related articles

linux-penguin-inside-a-box-tar-gz

15 most useful Linux commands for file system maintenance

One of the most common and tedious tasks of a sysadmin is to prevent file systems become completely full, because when a server runs out of space the consequences are unpredictable. Depending on how you structured the root file system and if it is divided into different partitions or volumes, those consequences will be more or less severe, but in any case undesirable.In any case it is always better to be safe than sorry, so use tools that perform automatic log rotation as logrotate and custom scripts to monitor and conduct periodic emptying actions to prevent file systems to get full. However, still using these prevention methods it is for sure it will be many times when you will have to act manually to troubleshoot problems.

October 1, 2014
cpu-cores

How to know how many cores and processors has a Linux box

The simplest and shortest method to measure the number of processors present on a Linux box, which is also widely extended as it’s part of coreutils is:Another way to get the same result which also allows us to obtain additional information from our processor are the lscpu command:Or we can examine the cpuinfo file from /proc filesystem:There are many additional details about these processors in /proc/cpuinfo file, including the CPU model and number of cores:

March 13, 2012
Ctrl+S

Unlock Linux command line after pressing Ctrl+s in Bash

Since the key combination Control+s is widely used as a shortcut to save files in GUI applications such as text editors, image editors, web browsers, etc. sometimes you are betrayed by your subconscious when you are working from the Linux command line and you use that same key combination when you are for example editing a Vim document when trying to save it. Then you notice that no key answers, the shell is locked and you can no longer do anything else in it.  Even worse, you get a cold sweat because you can’t continue editing your document and you can’t save the changes.

April 27, 2017

Comments

Be the first to comment

Submit comment

Back to blog