Find out the processes or scripts updating a file Solaris

Question

I have a log file which captures the file transfer details from my server like rsh, sftp, ssh session details. I just want to backtrack and find out what all are the processes/scripts updating the log files. I am not quite sure how this information is captured.

The log file looks like:

Oct 15 11:43:35 myclient inetd[15032]: [ID 927837 daemon.info] connect from client22.mydomain.com
Oct 15 11:43:35 myclient inetd[15033]: [ID 927837 daemon.info] connect from Client101.mydomain.com
Oct 15 11:43:35 myclient inetd[15034]: [ID 927837 daemon.info] connect from client05dev.mydomain.com
Oct 15 11:43:36 myclient inetd[15038]: [ID 927837 daemon.info] connect from searay.mydomain.com
Oct 15 11:43:36 myclient in.rshd[15038]: [ID 724835 daemon.info] connect from epsadmin@searay.mydomain.com (ls -l /home/generic/fpcdetail/fpcdetail.bod.mm)
Oct 15 11:43:36 myclient inetd[15041]: [ID 927837 daemon.info] connect from pgdbsu01dev.mydomain.com
Oct 15 11:43:36 myclient in.rshd[15041]: [ID 724835 daemon.info] connect from qrtdev@pgdbsu01dev.mydomain.com (ls -l /ifeeds/filemgr/filemgr.rimes.ftspeuro_industry_prn)
Oct 15 11:43:36 myclient inetd[15040]: [ID 927837 daemon.info] connect from client22.mydomain.com
Oct 15 11:43:38 myclient inetd[15044]: [ID 927837 daemon.info] connect from client22.mydomain.com

Answer 1

That looks like syslog output. If that's the case, then you're going to find that the only process touching the logfile is syslogd. The programs use syslog(3) to perform the logging. In general, the name e.g. inetd[12345] is the name and process id of the program that performed the logging.

As you're using solaris, you can use dtrace to see who's invoking syslog - see this dtrace one-liner for something similar to what you're looking for; but it is limited to the once pid that is being traced.