While reviewing one of my Linux hosts, I noticed that a bunch of write activity was occurring to one specific file system. I was curious to see what this write activity was, so I started reading up on the Linux inotify framework. Inotify allows you to monitor file system events, and the super useful iwatch utility provides a command line interface to the inotify framework. When iwatch is executed and passed the name of a directory on the command line, it will print all of the events that are applicable to that directory:
$ iwatch -v /tmp
[21/Feb/2009 11:21:18] IN_CREATE /tmp/services [21/Feb/2009 11:21:18] IN_CLOSE_WRITE /tmp/services [21/Feb/2009 11:21:18] * /tmp/services is closed [21/Feb/2009 11:21:25] IN_DELETE /tmp/services [21/Feb/2009 11:21:25] * /tmp/services is deleted [21/Feb/2009 11:21:35] IN_CREATE /tmp/foo [21/Feb/2009 11:21:35] IN_CLOSE_WRITE /tmp/foo [21/Feb/2009 11:21:35] * /tmp/foo is closed [21/Feb/2009 11:21:46] IN_DELETE /tmp/foo [21/Feb/2009 11:21:46] * /tmp/foo is deleted
This command line will cause a line to be printed to STDOUT each time an event is triggered due to operations taking place in /tmp. If you would prefer to get an e-mail when events occur, you can add the “-m” option to the command line:
$ iwatch -v -m email@example.com /tmp
This utility rocks, and I hope Solaris will provide a similar utility to take advantage of their notification framework.