Difference between revisions of "Log filesystem changes"

Sometimes I want to see a log of every single filesystem access by any process. This could be done with inotify, but it would be slow to register the root directory of a large filesystem.

This is dumb:

inotifywatch -e modify -r /

I wondered why there wasn't some log option to log everything at the kernel level that goes in or out of the block layer. It turns out that there is just such an option. It logs everything to the kernel log (dmesg). This generates a lot of noise, so you wouldn't want to leave it on all the time. The following demonstrates how to turn on logging for the filesystem:

# Turn on block device logging to dmesg.
echo 1 > /proc/sys/vm/block_dump

# Use one of the following three ways to observe the contents of dmesg:
tail -f /var/log/syslog
tail -f /var/log/kern.log
while true; do dmesg -c; sleep 1; done;

# Turn off block device logging to dmesg.
echo 0 > /proc/sys/vm/block_dump

This type of logging only logs the process and block number written to. This does not log the filename or any other application layer data. This may have limited use depending on your requirements. For example, some logging data might look like this:

Mar 25 23:03:54 vmh-prod-1 kernel: [532969.293789] blkback.44.xvda(1671): WRITE block 1048853728 on dm-30 (8 sectors)
Mar 25 23:03:57 vmh-prod-1 kernel: [532972.309566] touch(8926): READ block 172240168 on sda1 (16 sectors)
Mar 25 23:03:57 vmh-prod-1 kernel: [532972.309590] touch(8926): READ block 172240192 on sda1 (8 sectors)
Mar 25 23:03:57 vmh-prod-1 kernel: [532972.309598] touch(8926): READ block 172240224 on sda1 (8 sectors)
Mar 25 23:03:57 vmh-prod-1 kernel: [532972.309606] touch(8926): READ block 172240240 on sda1 (24 sectors)
Mar 25 23:03:57 vmh-prod-1 kernel: [532972.312571] jbd2/sda5-8(456): WRITE block 335845408 on sda5 (8 sectors)
Mar 25 23:03:57 vmh-prod-1 kernel: [532972.312598] jbd2/sda5-8(456): WRITE block 92540768 on sda5 (8 sectors)