Can I extract the full command line from an atop 1.23 data file?

Question

My production servers have atop version 1.23, and I have a data file written by it from which I need to extract the full command line of a process.

Unfortunately:

this version of atop won't display data beyond the 80th column of the display
horizontal scrolling was only introduced in 1.27
newer versions refuse to read data files written by older versions
the file itself is compressed, so a simple strings search won't work

Is there any way I can recover the full command line from my data file?

If I understand you correctly you are saying that `atop` itself will truncate at the 80th column. Therefore the "full" command line is not in the data file, only the first 80 characters. How can you recover something that is not there? Is using `ps` or `top -c` instead of atop an option? — terdon, May 14 '13 at 11:00
I suspect the command line may be in the data file but is not being displayed by `atop`. I need the data from the file because I'm looking at a specific event in the past. — Flup, May 14 '13 at 11:10

Stéphane Chazelas · Accepted Answer · 2018-11-24T19:04:22.410

Edit. After checking the man page, looks like you can get the full command line with:

atop -r /var/log/atop.log -P PRG

Some general approach to extract data from compressed files:

I can extract data from the atop log files with:

xxd -p < /var/log/atop.log |
  fold -w4 |
  awk -v cmd='xxd -r -p | zlib-flate -uncompress | strings' '
    /789c/{if (x) close(cmd); x=1}; x {print | cmd}' |
  grep your-command

The idea being to detect the zlib header (starting with 789c) and pass that to zlib-flate -uncompress. Not guaranteed bulletproof and not the most efficient way to do it, but does the trick for me.

Alternatives to zlip-flate -uncompress (part of qpdf) include openssl zlib -d and pigz -zd.

Impressive stuff sir! Unfortunately it seems that `atop` 1.23 does indeed truncate in the data file at 80 characters. Many thanks for the help though! — Flup, May 14 '13 at 11:33

score 4 · Answer 2 · edited Dec 09 '19 at 13:20

4

In a newer version there is an interactive command - c that shows the command line of the process with their arguments.

To do this you would find the location of your atop logs (eg. /var/log/atop/atop_20191209) and supply that to atop using the -r switch like so: atop -r /var/log/atop/atop_20191209 then press t to advance the time. To rewind the time you can press Shift+t.

edited Dec 09 '19 at 13:20

Jeff Schaller

66,199
35
114
250

answered Nov 24 '18 at 11:29

ildar

41
1

1

Does that work when reading from a file? – Jeff Schaller Nov 24 '18 at 12:50
1

And is that usable when reading from a file ***that was written by an earlier version**?* – G-Man Says 'Reinstate Monica' Nov 24 '18 at 22:38
I can confirm that it works when reading from a file @JeffSchaller. Not sure about if it is from an earlier version though. – Kredns Dec 06 '19 at 19:28
@Kredns: happy to hear! If you're able, suggest an edit to the post that shows how to do it; that would make the Answer even more valuable. Thank you! – Jeff Schaller Dec 06 '19 at 19:36
@JeffSchaller, good idea, done! :) – Kredns Dec 09 '19 at 13:16
@Kredns -- did we lose the `c` portion of the answer to corresponds to showing the command-line? (That's the point of this overall question) – Jeff Schaller Dec 09 '19 at 13:19
@JeffSchallerI did not remove anything from the answer, only added how to view the logs. – Kredns Dec 09 '19 at 13:51

Can I extract the full command line from an atop 1.23 data file?

2 Answers2