inotify – monitoring file system events

If you have some experience on compiling linux kernel, maybe you could recall that there is an option called “Inotify file change notification support” under “File Systems” section. Inotify is an inode-based filesystem notification technology. It provides possibility to simply monitor various events on files in filesystems. It is a very much powerful replacement of (obsolete) dnotify. Check Why Not dnotify and Why inotify to see a brief comparison between dnotify and inotify from Robert Love.

In kernel space, the inotify API provides a mechanism for monitoring file system events. Inotify can be used to monitor individual files, or to monitor directories. When a directory is monitored, inotify will return events for the directory itself, and for files inside the directory.

In user space, there are several tools use inotify, such as pyinotify, IWatch, incron, logsend, mswatch, inotail, inotify-tools and the others I don’t know of.
On Dec 3, inotify-tools was added into Slackware-Current repository. As the style of Patrick Volkerding and Slackware Distro, I think inotify-tools is worthy more to use.

Inotify-tools currently consists of a library called “libinotifytools” and two programs called “inotifywait” and “inotifywatch“, with a third kinda sorta planned but don’t hold your breath.

Libinotifytools library provides a thin layer on top of the basic inotify interface. The primary use is to easily set up watches on files, potentially many files at once, and read events without having to deal with low-level I/O. There are also several utility functions for inotify-related string formatting.

Inotifywait efficiently waits for changes to files using Linux’s inotify interface. It is suitable for waiting for changes to files from shell scripts. It can either exit once an event occurs, or continually execute and output events as they occur, and can recursively watch entire directory trees.

Inotifywatch listens for filesystem events using Linux’s inotify interface, then outputs a summary count of the events received on each file or directory.

How to use them? Please check their man pages for further information :-)

Below is a test on inotifywait. On one console monitored outputs, on another did some operation.

monitoring console:

root@ws:~# inotifywait -mr --format '%w %f %e' /home/cli
Setting up watches.
Beware: since -r was given, this may take a while!
Watches established.
/home/cli/tmp/ test CREATE,ISDIR
/home/cli/tmp/ test OPEN,ISDIR
/home/cli/tmp/ test CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/ test OPEN,ISDIR
/home/cli/tmp/test/  OPEN,ISDIR
/home/cli/tmp/ test CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/ new CREATE,ISDIR
/home/cli/tmp/test/ new OPEN,ISDIR
/home/cli/tmp/test/ new CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/  OPEN,ISDIR
/home/cli/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/ tmp OPEN,ISDIR
/home/cli/tmp/  OPEN,ISDIR
/home/cli/ tmp CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/ test OPEN,ISDIR
/home/cli/tmp/test/  OPEN,ISDIR
/home/cli/tmp/ test CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/new/ foo CREATE
/home/cli/tmp/test/new/ foo OPEN
/home/cli/tmp/test/new/ foo MODIFY
/home/cli/tmp/test/new/ foo CLOSE_WRITE,CLOSE
/home/cli/  OPEN,ISDIR
/home/cli/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/ tmp OPEN,ISDIR
/home/cli/tmp/  OPEN,ISDIR
/home/cli/ tmp CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/ test OPEN,ISDIR
/home/cli/tmp/test/  OPEN,ISDIR
/home/cli/tmp/ test CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/ test OPEN,ISDIR
/home/cli/tmp/test/  OPEN,ISDIR
/home/cli/tmp/ test CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/ new OPEN,ISDIR
/home/cli/tmp/test/new/  OPEN,ISDIR
/home/cli/tmp/test/ new CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/new/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/new/ foo OPEN
/home/cli/tmp/test/new/ foo ACCESS
/home/cli/tmp/test/new/ foo CLOSE_NOWRITE,CLOSE
/home/cli/tmp/ test OPEN,ISDIR
/home/cli/tmp/test/  OPEN,ISDIR
/home/cli/tmp/ test CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/ new OPEN,ISDIR
/home/cli/tmp/test/new/  OPEN,ISDIR
/home/cli/tmp/test/new/ foo DELETE
/home/cli/tmp/test/ new CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/new/  CLOSE_NOWRITE,CLOSE,ISDIR
/home/cli/tmp/test/ new DELETE,ISDIR
/home/cli/tmp/test/new/  DELETE_SELF
/home/cli/tmp/test/new/  IGNORED

operations:

[cherife@ws:~/tmp/test $] history|tail -6
520  mkdir -p tmp/test/new
521  echo "this is a test." > tmp/test/new/foo
522  cd tmp/test
523  cat new/foo
524  rm new/ -r
525  history|tail -6

In some case, yeah, it’s very powerful and useful for system administration.

This entry was posted at 17:36 on Sat, 15 Dec 2007 UTC and is filed under technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Printed from: http://dotimes.com/iscale/2007/12/inotify-monitoring-file-system-events.html .
© Cowyn Li 2010.

Leave a Comment