How to monitor what files are opened
Is there a tool to monitor what processes open what files on the system so you can track down which process keeps touching a specific file? Lsof can find out if you run it while the process has the file open, but if it is a short lived process that runs every once in a while, you can’t catch it with lsof. Need something that uses kernel tracing.
Have you checked out inotify? See @Kees’s answer here for example: askubuntu.com/questions/25442/… There are a couple of links on my answer here: askubuntu.com/questions/29566/…
@jgbelacua neither of those is quite what I’m looking for. Inotify can tell you when a given file is touched, and lsof can tell you what files a process has open, or what process has a file open, but I need to figure out what process keeps touching a file, then closing it before I can run lsof to catch it.
3 Answers 3
You could perhaps use audit system for that. It is a little heavyweight, but something like this should work (in /etc/audit/audit.rules):
# delete all other rules -D # watch the file in question -w /path/to/file -p rwxa and then I think you need to restart auditd:
sudo service audit restart (In case you don’t have it installed, it is in package auditd.) The culprit can then be found in /var/log/audit/audit.log.
fnotifystat is a tool that has been designed to watch linux file activity
sudo apt-get install fnotifystat sudo fnotifystat Total Open Close Read Write PID Process Pathname 7.0 1.0 1.0 5.0 0.0 2075 libvirtd /proc/cpuinfo 6.0 2.0 2.0 2.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu0/topology/physical_package_id 6.0 2.0 2.0 2.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu1/topology/physical_package_id 6.0 2.0 2.0 2.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu2/topology/physical_package_id 6.0 2.0 2.0 2.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu3/topology/physical_package_id 4.0 1.0 1.0 2.0 0.0 2075 libvirtd /sys/devices/system/node 4.0 1.0 1.0 2.0 0.0 2075 libvirtd /sys/devices/system/node/node0 4.0 2.0 2.0 0.0 0.0 15313 gnome-calendar /usr/share/zoneinfo/Europe/London 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu0/topology/core_id 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu0/topology/thread_siblings_list 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu1/topology/core_id 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu1/topology/thread_siblings_list 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu2/topology/core_id 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu2/topology/thread_siblings_list 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu3/topology/core_id 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/cpu/cpu3/topology/thread_siblings_list 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/cpu/online 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/cpu/present 3.0 1.0 1.0 1.0 0.0 2075 libvirtd /sys/devices/system/node/node0/meminfo 2.0 0.0 0.0 0.0 2.0 12174 xchat /home/cking/.xchat2/xchatlogs/FreeNode-#ubuntu-release.log 1.0 0.0 0.0 0.0 1.0 12174 xchat /home/cking/.xchat2/xchatlogs/FreeNode-#ubuntu-desktop.log 1.0 0.0 0.0 0.0 1.0 12174 xchat /home/cking/.xchat2/xchatlogs/FreeNode-#ubuntu-devel.log 1.0 0.0 0.0 0.0 1.0 12174 xchat /home/cking/.xchat2/xchatlogs/FreeNode-#ubuntu-kernel.log Show the top 10 active files every 60 seconds until stopped:
Show file acivity every 10 seconds just 6 times:
Show file activity of thunderbird and process ID 1827:
sudo fnotifystat -p thunderbird,1827 Show every file notify event and the top 20 active activity files over a single period of 5 minutes:
sudo sudo notifystat -v -d -c 5m 1 Just show every file notify event on /sys and /proc and no periodic statisics:
sudo fnotifystat -n -i /sys,/proc Consult the fnotifystat man page for more information, it’s quite a flexible tool.
Monitor open process files on linux real time
You could use an old school while loop: is in the procps package on debian based systems and the procps rpm on RedHat derived systems. You need to run as root if the command runs with elevated privileges: Another method that’s likely to be faster is to preload a library that wraps around filesystem access functions: .
Monitor open process files on linux (real-time)
You could use an old school while loop:
while : do ls -l /proc/$$/fd sleep 10 done watch is in the procps package on debian based systems and the procps rpm on RedHat derived systems.
If you want to see each file as it is being opened, you can filter that with strace . For example:
strace -p _pid_of_app_ -e trace=open,close You could combine lsof and watch .
For example watch «lsof -p 1234» will give you a list of all open files of pid 1234 every 2 seconds. You could change some parameters to meet your needs.
Monitor open process files on linux (real-time), You could combine lsof and watch. For example watch «lsof -p 1234» will give you a list of all open files of pid 1234 every 2 seconds. You could change some parameters to meet your needs. I created a bash file where I was writing the output of the command to a file. File was generated on the basis current date.
Linux file access monitoring
Unless you have extremely unusual logging policies in place, who accessed what file is not logged (that would be a huge amount of information). You can find out who was logged in at what time in the system logs; the last command gives you login history, and other logs such as /var/log/auth.log will tell you how users authenticated and from where they logged in (which terminal, or which host if remotely).
The date at which a file was last read is called its access time, or atime for short. All unix filesystems can store it, but many systems don’t record it, because it has a (usually small) performance penalty. ls -ltu /path/to/file or stat /path/to/file shows the file’s access time.
If a user accessed the file and wasn’t trying to hide his tracks, his shell history (e.g. ~/.bash_history ) may have clues.
To find out what or who has a file open now, use lsof /path/to/file .
To log what happens to a file in the future, there are a few ways:
- Use inotifywait. inotifywait -me access /path/to will print a line /path/to/ ACCESS file when someone reads file . This interface won’t tell you who accessed the file; you can call lsof /path/to/file as soon as this line appears, but there’s a race condition (the access may be over by the time lsof gets going).
- LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses through that view. To configure it, see LoggedFS configuration file syntax.
- You can use Linux’s audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl . Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:
The previous answer is not the best practice for doing what you ask. Linux has an API for this. The inotify API http://linux.die.net/man/7/inotify
- You can write a C program to do what you want just calling the inotify API directly
- You can use kfsmd, http://www.linux.com/archive/feature/124903 a daemon that uses inotify
- If you want something that works across platforms ( inotify is Linux specific) and you are using Java, JNotify works across platforms(Linux, Mac, Windows), abstracting the native OS’ underlying API.
Above example with inotifywait should be one of (see man page for more info):
inotifywait /path/to/file inotifywait -e open /pat/to/file Or with monitoring mode and timestamp:
inotifywait -m --format '%w:%e:%T' --timefmt '%F %T %Z %z' How do I monitor opened files of a process in realtime?, I know I can view the open files of a process using lsof at that moment in time on my Linux machine. However, a process can open, alter and close a file so quickly that I won’t be able to see it when monitoring it using standard shell scripting (e.g. watch) as explained in «monitor open process files on linux (real-time)». So, I …
How to monitor the frequency of processes writing to a file on Linux
You might find iotop and fatrace useful to help you achieve what you want.
Linux file access monitoring, If a user accessed the file and wasn’t trying to hide his tracks, his shell history (e.g. ~/.bash_history) may have clues. To find out what or who has a file open now, use lsof /path/to/file. To log what happens to a file in the future, there are a few ways: Use inotifywait. inotifywait -me access /path/to will print a line /path/to/ ACCESS
List the files accessed by a program
I gave up and coded my own tool. To quote from its docs:
SYNOPSIS tracefile [-adefnu] command tracefile [-adefnu] -p pid OPTIONS -a List all files -d List only dirs -e List only existing files -f List only files -n List only non-existing files -p pid Trace process id -u List only files once It only outputs the files so you do not need to deal with the output from strace .
You can trace the system calls with strace , but there is indeed an inevitable speed penalty. You need to run strace as root if the command runs with elevated privileges:
sudo strace -f -o foo.trace su user -c 'mycommand' Another method that’s likely to be faster is to preload a library that wraps around filesystem access functions: LD_PRELOAD=/path/to/libmywrapper.so mycommand . The LD_PRELOAD environment variable won’t be passed to programs invoked with elevated privileges. You’d have to write the code of that wrapper library (here’s an example from “Building library interposers for fun and profit”); I don’t know if there is reusable code available on the web.
If you’re monitoring the files in a particular directory hierarchy, you can make a view of the filesystem with LoggedFS such that all accesses through that view are logged.
loggedfs -c my-loggedfs.xml /logged-view mycommand /logged-view/somedir To configure LoggedFS, start with the sample configuration shipped with the program and read LoggedFS configuration file syntax.
Another possibility is Linux’s audit subsystem. Make sure the auditd daemon is started, then configure what you want to log with auditctl . Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:
auditctl -a exit,always -w /path/to/file If you put a watch on a directory, the files in it and its subdirectories recursively are also watched. Take care not to watch the directory containing the audit logs. You can restrict the logging to certain processes, see the auditctl man page for the available filters. You need to be root to use the audit system.
I think you want lsof (possibly piped to a grep on the program and it’s children). It will tell you every file that’s currently being accessed on the filesystem. For information about which files accessed by process (from here):
How can I monitor Linux file access per file realtime, For me (Ubuntu server 12.04.3 LTS amd64 on ext4 fs) loggedfs simply breaks / stops all filesystem access to files below the given mountpoint except for root myself, throwing errors instead of actual filesystem messages. I don’t downvote this, though, as this might just be a problem on this particular system. – Christian