I’d like to track down processes that tries to connect to a certain port (on remote host).
So, I discovered that
auditd is very powerful for these kind of tasks. The following command instruct
auditd to log every connect syscall:
auditctl -a always,exit -F arch=b64 -S connect auditctl -a always,exit -F arch=b32 -S connect
The log is then stored in
/var/log/audit/. But the content is pretty complex. There’s
ausearch that can be used to filter the log but maybe someone of you already know how to solve this.
P.S I don’t want to use netstat because I want to see even the failed connections etc..
Thanks in advance
Auditd’s logs do capture process IDs (see Red Hat’s Documentation). However, these only came from the server’s processes serving incoming connection requests.
However, I do not believe that there is a way to obtain PID of failed or successful connections from clients since it is not transmitted over the network in the first place.