Filter out failed syscalls from strace log

Apart from post-processing the strace output, there isn’t anything available to ignore failed system calls in strace. It wouldn’t be too hard to add, look at the syscall_exiting_trace function in syscall.c.

If you’d rather pursue the post-processing angle, Ole Tange has already taken care of that for you in a more comprehensive way than you’re likely to get here: the tracefile tool will run strace and filter out the information you’re after in a nicely readable fashion. See List the files accessed by a program for details. Another answer to that question lists other possible approaches, including LoggedFS which I find very useful.

Another option is to use SystemTap; for example

#!/usr/bin/env stap

global stored_filename, stored_path

probe syscall.open {
  stored_filename = filename
}

probe syscall.open.return {
  if (execname() == "cat" && $return >= 0) {
    printf("opened %s\n", stored_filename)
  }
}

probe syscall.openat {
  stored_filename = filename
  stored_path = dfd_str
}

probe syscall.openat.return {
  if (execname() == "cat" && $return >= 0) {
    printf("opened %s in %s\n", stored_filename, stored_path)
  }
}

will show the name of any file successfully opened by any cat process.

Possible solution:

strace -e trace=file sleep 1 2>&1 | grep -v "= -1 ENOENT" > strace.log

strace by default prints to stderr so redirect it to stdout.