What Process Is Writing To A Given File ?

by bitznbitez

Its a standard admin situation.  You have a full or filling filesystem.   You can identify what files have been changing in the last 15 minutes via “find . -mmin 15 -ls”.   But how do you find out what process is writing to the file.

Short answer is you can’t find out for sure which process, but you can find out for sure which processes have the file open, which is usually enough.    Take the obvious case of the file :


which is obviously a db2 transaction log file.   Let find out who has it open.

blackwater LOGSTREAM0000 # lsof | grep S0000000.LOG
db2sysc 18170 db2inst1 15rW REG 8,17 409608192 15204384 /local/db2/database/db2inst1/NODE0000/SQL00001/LOGSTREAM0000/S0000000.LOG
db2sysc 18170 db2inst1 35uW REG 8,17 409608192 15204384 /local/db2/database/db2inst1/NODE0000/SQL00001/LOGSTREAM0000/S0000000.LOG
blackwater LOGSTREAM0000 #

And there you have it.   The file is open by process 18170 named db2sysc running as user db2inst1.

That was pretty painless wasn’t it ?