Log filesystem changes

From Noah.org
Revision as of 16:47, 17 November 2009 by Root (talk | contribs) (Created page with 'Category:Engineering Sometimes I want to see a log of every single filesystem access by any process. This can be done with '''inotify''', but it would…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Sometimes I want to see a log of every single filesystem access by any process. This can be done with inotify, but it would be slow to register the root directory of a large filesystem.

inotifywatch -e modify -r /

I wondered why there wasn't some log option to log everything at the kernel level that goes in or out of the block layer. It turns out that there is just such an option. It logs everything to the kernel log (dmesg). This generates a lot of noise, so you wouldn't want to leave it on all the time. The following demonstrates how to turn on logging for the filesystem:

# Turn on block device logging to dmesg.
echo 1 > /proc/sys/vm/block_dump

# Use one of the following three ways to observe the contents of dmesg:
tail -f /var/log/syslog
tail -f /var/log/kern.log
while true; do dmesg -c; sleep 1; done;

# Turn off block device logging to dmesg.
echo 0 > /proc/sys/vm/block_dump