stackoom
  简体   繁体   中英

linux file access monitor,with inotify?

 原文  2012-06-21 19:39:52       linux/ filesystems/ monitor/ inotify/ operation

Question

i am searching a tool in linux for monitoring file. for example, i need know what happend to a file. Like it be created,rewrite,read and so on.

i know the i can use inotify to achieve this. but i need more detail information. for example, i can know the event of creating a file. but what i want not only the file was created but also what the size of the file it created. for example, to read a file, i not only want to know the event reading file i happend but also the detail of reading file, such as the offset of the file it read from.

is there any one can help on this problem ?

3 answers

solution1
 1  2014-02-17 13:42:07

auditd is a good choice if you don't want to code your own monitoring tool. Otherwise, using sys/inotify.h gives you information about the file by looking at struct inotify_event struct.

solution2
 0  2012-06-21 19:45:16

If you need information that detailed then you're going to have to write a kernel module to hook the VFS; even the audit subsystem doesn't have all those details.

solution3
 0  2012-06-21 22:26:09

As far as I know, the kernel does not have an infrastructure that provides details in that depth. Such support would imply an inordinate amount of monitoring hooks that could even affect the performance of the system. You would have to write kernel code of your own to receive that kind of information...

You also seem to be confused about the granularity of some operations. For example, when a file is created via the open() system call, it is initially empty. You need additional system calls (eg write() or lseek() ) for its size to change. I am not aware of any atomic operation that creates files with a given size.

That said, you might be able to use one or combinations of the following alternatives:

  • Use inotify and the stat system call to log operations and file sizes and permissions. Unfortunately this approach is not atomic - and it will not give you read/write offsets.

  • Use strace on any process that might be modifying your files. strace logs can be very long and tedious for humans to parse, but provide a lot of information on the operations performed by the traced application.

  • If you are interested into specific files, then perhaps you could use a FUSE filesystem to mirror a directory by passing-through all operations, while also recording everything.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to automatically delete created file in linux with inotify? using daemon and inotify to make a one file monitor in C how can I monitor Linux file access per file realtime Reading File System Events from Linux Kernel without Inotify Inotify linux watching subdirectories linux, inotify - how to subscribe? Monitor directory for file changes on Linux Monitor/audit file delete on Linux How can I monitor a file and print out changes in the terminal (using inotify)? inotify,inotify_add_watch() to monitor multiple directories, c++
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM