Chris's Wiki :: blog/linux/LoadAverageMultiuserSpikes Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/LoadAverageMultiuserSpikes?atomcommentsDWiki2020-02-18T11:07:51ZRecent comments in Chris's Wiki :: blog/linux/LoadAverageMultiuserSpikes.By Tom Matthews on /blog/linux/LoadAverageMultiuserSpikestag:CSpace:blog/linux/LoadAverageMultiuserSpikes:a67e6f2b4a324a853b64d9f095f40fc89e5904deTom Matthews<div class="wikitext"><p>If it's the run queue, then why not try auditd to capture all the execve's over a time period?</p>
<pre>
$ sudo auditctl -a exit,always -S execve && sleep 300
$ sudo auditctl -d exit,always -S execve
$ less /var/log/audit/audit.log
</pre>
<p>I used a similar method a while back to track down what process/daemon was calling 'zpool get' every ten seconds. Very quickly learned it was docker!</p>
</div>2020-02-18T11:07:51Z