Problem :
I’d like to track down processes that tries to connect to a certain port (on remote host).
So, I discovered that auditd is very powerful for these kind of tasks. The following command instruct auditd to log every connect syscall:
auditctl -a always,exit -F arch=b64 -S connect
auditctl -a always,exit -F arch=b32 -S connect
The log is then stored in /var/log/audit/. But the content is pretty complex. There’s ausearch that can be used to filter the log but maybe someone of you already know how to solve this.
P.S I don’t want to use netstat because I want to see even the failed connections etc..
Thanks in advance
Solution :
Auditd’s logs do capture process IDs (see Red Hat’s Documentation). However, these only came from the server’s processes serving incoming connection requests.
However, I do not believe that there is a way to obtain PID of failed or successful connections from clients since it is not transmitted over the network in the first place.