Ever wanted to monitor the filesystem changes ?
Since Linux 2.6.25, the kernel provides us with a signal driven I/O notification API and the inotify-tools RPM provides a set of tools to interact with the kernel.
inotify in action: a simple way to test this API is to run the following command in a terminal window:
% inotifywait -m /tmp Setting up watches. Watches established.
in another terminal window, just create a file in /tmp
% touch /tmp/toto
The inotifywait output should be:
/tmp/ CREATE toto /tmp/ OPEN toto /tmp/ ATTRIB toto /tmp/ CLOSE_WRITE,CLOSE toto
Of course, the output can be filtered using the -e|–event argument, etc… (see the inotifywait or inotifywatch man pages).
inotify-tools can be used as-is in batch files, allowing you to define your own surveillance programs. Of course the kernel API is available for other programming langages, C of course, but also python (python-inotify.noarch RPM), perl (perl-Linux-Inotify2 module), ruby (rubygem-rb-inotify gem).
