Monitoring file activity on Linux hosts

While reviewing one of my Linux hosts, I noticed that a bunch of write activity was occurring to one specific file system. I was curious to see what this write activity was, so I started reading up on the Linux inotify framework. Inotify allows you to monitor file system events, and the super useful iwatch utility provides a command line interface to the inotify framework. When iwatch is executed and passed the name of a directory on the command line, it will print all of the events that are applicable to that directory:

$ iwatch -v /tmp

[21/Feb/2009 11:21:18] IN_CREATE /tmp/services
[21/Feb/2009 11:21:18] IN_CLOSE_WRITE /tmp/services
[21/Feb/2009 11:21:18] * /tmp/services is closed
[21/Feb/2009 11:21:25] IN_DELETE /tmp/services
[21/Feb/2009 11:21:25] * /tmp/services is deleted
[21/Feb/2009 11:21:35] IN_CREATE /tmp/foo
[21/Feb/2009 11:21:35] IN_CLOSE_WRITE /tmp/foo
[21/Feb/2009 11:21:35] * /tmp/foo is closed
[21/Feb/2009 11:21:46] IN_DELETE /tmp/foo
[21/Feb/2009 11:21:46] * /tmp/foo is deleted



This command line will cause a line to be printed to STDOUT each time an event is triggered due to operations taking place in /tmp. If you would prefer to get an e-mail when events occur, you can add the “-m” option to the command line:

$ iwatch -v -m matty@prefetch.net /tmp

This utility rocks, and I hope Solaris will provide a similar utility to take advantage of their notification framework.

2 thoughts on “Monitoring file activity on Linux hosts”

Leave a Reply

Your email address will not be published. Required fields are marked *