exitsnoop - Trace all process termination (exit, fatal signal). Uses Linux eBPF/bcc.

       Arturo Martin-de-Nicolas

       exitsnoop traces process termination, showing the command name and reason for termination, either an exit
       or a fatal signal.

       It catches processes of all users, processes in containers, as well as processes that become zombie.

       This  works  by  tracing  the  kernel  sched_process_exit() function using dynamic tracing, and will need
       updating to match any changes to this function.

       Since this uses BPF, only the root user can use this tool.

       Trace all process termination
              # exitsnoop

       Trace all process termination, and include timestamps:
              # exitsnoop-t

       Exclude successful exits, only include non-zero exit codes and fatal signals:
              # exitsnoop-x

       Trace PID 181 only:
              # exitsnoop-p181

       Label each output line with 'EXIT':
              # exitsnoop--labelEXIT

       Trace per thread termination
              # exitsnoop--per-thread

       TIME-TZ
              Time of process termination HH:MM:SS.sss with milliseconds, where TZ is the local time zone, 'UTC'
              with --utc option.

       LABEL  The optional label if --label option is used.  This is useful with the -t  option  for  timestamps
              when the output of several tracing tools is sorted into one combined output.

       PCOMM  Process/command name.

       PID    Process ID

       PPID   The process ID of the process that will be notified of PID termination.

       TID    Thread ID.

       EXIT_CODE
              The exit code for exit() or the signal number for a fatal signal.

       exitsnoop - Trace all process termination (exit, fatal signal). Uses Linux eBPF/bcc.

       -h     Print usage message.

       -t     Include a timestamp column.

       --utc  Include a timestamp column, use UTC timezone.

       -x     Exclude successful exits, exit( 0 )

       -p PID Trace this process ID only (filtered in-kernel).

       --label LABEL
              Label each line with LABEL (default 'exit') in first column (2nd if timestamp is present).

       --per-thread
              Trace per thread termination

       Linux

       This  traces  the  kernel sched_process_exit() function and prints output for each event.  As the rate of
       this is generally expected to be low (< 1000/s), the overhead is also expected to be negligible.  If  you
       have an application that has a high rate of process termination, then test and understand overhead before
       use.

       CONFIG_BPF and bcc.

execsnoop(8)

USER COMMANDS                                      2019-05-28                                       exitsnoop(8)

       This is from bcc.

              https://github.com/iovisor/bcc

       Also  look  in  the bcc distribution for a companion _examples.txt file containing example usage, output,
       and commentary for this tool.

       Unstable - in development.

exitsnoop[-h][-t][--utc][-x][-pPID][--labelLABEL][--per-thread]