I came across fslogger, which is a great user-space program that subscribes to the kernel's file system change notification service.
Sounds great and actually monitoring file system activity with fslogger is quite easy. It must be run as root but that's it.
The output is little bit verbose but you can cut it with awk.
# changed files
sudo fslogger | awk '/FSE_ARG_STRING/ { print $5 }'
# file change type
sudo fslogger | awk '/type.*=/ { print $3 }'
# process that caused the change
sudo fslogger | awk '/pid.*=.*\(.*\)/ { print $4$5 }'
Helpful.
you can also use opensnoop to track file opens
ReplyDelete