You are not logged in.
Hi,
I am running a program that I suspect may be doing changes in the filesystem, but I do not know which ones. I would like to know if there is a daemon/program that could help me monitor those changes. I tried AIDE, however, it works by creating a database of checksums for each file and does not report in real time potential changes. I would rather use a program that logs changes and timestamp them. Furthermore, AIDE is not useable with /var files, since there are many of them and they change so often. Is there another good solution?
Alternatively I would like to run the program with monitoring. For instance, run the process as:
monitor_program my_program_to_monitor logfile
This would dump in logfile what my_program_to_monitor does to the filesystem.
Thanks in advance.
Last edited by zebulon (2011-08-24 15:44:10)
Offline
inotify! it's the kernels built in API for monitoring file system events, its real time and very easy
install inotify-tools with pacman, you can then use it like
inotifywait -m -e MODIFY -r /path/to/your/directory/to/monitorto recursively monitor changes to files to that directory
Offline
Many thanks! That's look good. I looked at the man, but could not find: is it possible to output the PID of the process doing the MODIFY ?
Offline
no, at least with inotifywait, it is not possible. once you know what file is being changed you can use "lsof" to see what process have opened that file.
i tried the following to search lsof output first thing when inotifywait finds a file change.
file=$(inotifywait -r /home/mang/watch --format %w | sed 's/.$//'); lsof | grep $filewhile in another terminal running "vi /home/mang/watch/test"
the output is:
zsh 12574 mang cwd DIR 254,11 4096 4723089 /home/mang/watch
vi 16790 mang cwd DIR 254,11 4096 4723089 /home/mang/watchtry it!
Offline
That works very well. Many thanks for your help.
Offline