Forkstat uses the kernel proc connector interface to detect process activity. Proc connector allows forkstat to receive notifications of process events such as fork, exec, exit, core dump and changing the process name in the comm field over a socket connection.
By default, forkstat will just log fork, exec and exit events, but the -e option allows one to specify one or more of the fork, exec, exit, core dump or comm events. When a fork event occurs, forkstat will log the PID and process name of the parent and child, allowing one to easily identify where processes are originating. Where possible, forkstat attempts to track the life time of a process and will log the duration of a processes when it exits (note: this is not an estimate of the CPU used).
The -S option to forkstat will dump out a statistical summary of activity. This is useful to identify the frequency of processes activity and hence identifying the top offenders.
Forkstat is now available in Ubuntu 14.04 Trusty Tahr LTS. To install forkstat use:
sudo apt-get install forkstat
For more information on the tool and examples of the forkstat output, visit the forkstat quick start page.