3

I need to track down files (particularly log files) from any apps generating them at any given moment. These files may be arbitrarily named (not necessarily containing log in the filename or path).

I was thinking that I'd use fswatch -r / and then grep through things like so:

fswatch -r / | egrep --line-buffered -iv "//run|//sys"

But I'm finding that it's not giving any appreciable output towards my stated goal... Only seeing:

...
inotify_add_watch: No space left on device
inotify_add_watch: No space left on device
inotify_add_watch: No space left on device
/
/
/
/
^C
$

What would work in this case? I'm not really committed to using fswatch so I'm pretty much open to any ideas or solutions to find such files being modified at any given moment.

Note, I also don't care much about "spew" since I should be able to find things pretty quickly once I see them coming up in the console, but I just want to get essentially anything going on on the FS such that I can chop out the unimportant stuff.

Improve this question
1
  • 1
    Maybe will be better to use audit subsystem Commented Nov 21, 2018 at 19:31

1 Answer 1

Reset to default
2

Install and configure incrontab.

incron is a daemon which monitors filesystem events and executes commands defined in system and user tables.

Add the user under /etc/incron.allow (allow the user to use incrontab) , use incrontab -e to edit the file.

Usage :

path mask command

path = path to file

mask = see man inotify | less +/'inotify events'

command = command to be executed , in your case it can be just a message allowing you to filter the results of your syslog to know the exact time of the file modification.

e,g: To monitor a file , use:

/path/to/file IN_MODIFY "message: your file is accessed"

If the file is accessed by modification you will found a message under /var/log/syslog or type jounalctl -xe

A sample output:

# grep "message: your" /var/log/syslog

Nov 22 10:05:04 hostname incrond[2263]: (USER) CMD ("message: your file is accessed")

Edit

It is possible monitor all file under a specific folder. This is a sample message allowing you to list all files as they're being updated :

path/to/folder IN_MODIFY echo "$$ $@ $# $% $&"

The command may contain these wildcards:

$$ - a dollar sign
$@ - the watched filesystem path (see above example)
$# - the event-related file name
$% - the event flags (textually)
$& - the event flags (numerically)

Archlinux: incron

How to Use Incron to Monitor Important Files and Folders

Improve this answer
3
  • 1
    So this can be used to monitor all files in the filesystem simultaneously so as to find out what files are being modified and thus isolating log files? If so, could you please explain a little more so that I can be clear on exact usage to do so? Commented Nov 22, 2018 at 3:21
  • 1
    Hmm, to me this still seems as though you're using it to monitor specific files vs all files. For example, I want any and all arbitrary files under a path to be visible. Say I want to see all files that are being modified under /usr and /var, not just specific files - but all files under those folders - to be listed as they're being updated... Commented Nov 24, 2018 at 5:33
  • @ylluminate Yes it is possible, see my edit please. Commented Nov 24, 2018 at 10:05

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.