You are not logged in.
I'm trying to find out how much disk read/write each process has done during specific time periods, such as since boot, since the last boot, and since the third last boot. Reason being in past i had some rougue applications in windows system where it did 15TBW because of a bug.
iotop does this, but it removes closed process from the list. Rationale being `keeping them forever will become problematic after the PID is reused for a new process`.
Offline
iotop has a batch mode and there's /proc/$PID/io, but if you want to track processes after the fact, you'll have to keep a permanent log (ie. batch iotop and log the top write)
sudo iotop -a -q -P -b | grep -A4 -P '^(?!.*grep).*Total DISK'
This will however not help if the offending process uses subprocesses for the IO
Offline
Take a look at Audit framework. If you manage to compose audit rules for read/write syscalls family filtered by descriptors for regular files, theoretically it should work. I've never did this but would start from there.
Offline