собирать статистику доступа к файловой системе с помощью inotify или fanotify (gather filesystem access statistics using inotify or fanotify)
Имя (Name)
inotifywatch, fsnotifywatch - gather filesystem access statistics
using inotify or fanotify
Синопсис (Synopsis)
inotifywatch [-hvzrPqf] [-e <event> ] [-t <seconds> ] [-a <event>
] [-d <event> ] <file> [ ... ]
fsnotifywatch [-hvzrPqfIFS] [-e <event> ] [-t <seconds> ] [-a
<event> ] [-d <event> ] <file> [ ... ]
Описание (Description)
inotifywatch listens for filesystem events using Linux's
inotify(7) interface, then outputs a summary count of the events
received on each file or directory.
fsnotifywatch is similar to inotifywatch but it is using Linux's
fanotify(7) interface by default. If explicitly sepcified, it
uses the inotify(7) interface.
Вывод (Output)
inotifywatch and fsnotifywatch will output a table on standard
out with one column for each type of event and one row for each
watched file or directory. The table will show the amount of
times each event occurred for each watched file or directory.
Output can be sorted by a particular event using the -a or -d
options.
Some diagnostic information will be output on standard error.
Параметры (Options)
-h, --help
Output some helpful usage information.
-v, --verbose
Output some extra information on standard error during
execution.
@<file>
When watching a directory tree recursively, exclude the
specified file from being watched. The file must be
specified with a relative or absolute path according to
whether a relative or absolute path is given for watched
directories. If a specific path is explicitly both
included and excluded, it will always be watched.
Note: If you need to watch a directory or file whose name
starts with @, give the absolute path.
--fromfile <file>
Read filenames to watch or exclude from a file, one
filename per line. If filenames begin with @ they are
excluded as described above. If <file> is `-', filenames
are read from standard input. Use this option if you need
to watch too many files to pass in as command line
arguments.
-z, --zero
Output table rows and columns even if all elements are
zero. By default, rows and columns are only output if
they contain non-zero elements. Using this option when
watching for every event on a lot of files can result in a
lot of output!
--exclude <pattern>
Do not process any events for the subset of files whose
filenames match the specified POSIX regular expression,
case sensitive.
--excludei <pattern>
Do not process any events for the subset of files whose
filenames match the specified POSIX regular expression,
case insensitive.
--include <pattern>
Process events only for the subset of files whose
filenames match the specified POSIX regular expression,
case sensitive.
--includei <pattern>
Process events only for the subset of files whose
filenames match the specified POSIX regular expression,
case insensitive.
-r, --recursive
Watch all subdirectories of any directories passed as
arguments. Watches will be set up recursively to an
unlimited depth. Symbolic links are not traversed. If
new directories are created within watched directories
they will automatically be watched.
Warning: If you use this option while watching the root
directory of a large tree, it may take quite a while until
all inotify watches are established, and events will not
be received in this time. Also, since one inotify watch
will be established per subdirectory, it is possible that
the maximum amount of inotify watches per user will be
reached. The default maximum is 8192; it can be increased
by writing to /proc/sys/fs/inotify/max_user_watches.
-P, --no-dereference
Do not follow symlinks.
-t <seconds>, --timeout <seconds>
Listen only for the specified amount of seconds. If not
specified, inotifywatch will gather statistics until
receiving an interrupt signal by (for example) pressing
CONTROL-C at the console.
-e <event>, --event <event>
Listen for specific event(s) only. The events which can
be listened for are listed in the EVENTS section. This
option can be specified more than once. If omitted, all
events are listened for.
-a <event>, --ascending <event>
Sort output ascending by event counts for the specified
event. Sortable events include `total' and all the events
listed in the EVENTS section except `move' and `close'
(you must use `moved_to', `moved_from', `close_write' or
`close_nowrite' instead). The default is to sort
descending by `total'.
-d <event>, --descending <event>
Sort output descending by event counts for the specified
event. Sortable events include `total' and all the events
listed in the EVENTS section except `move' and `close'
(you must use `moved_to', `moved_from', `close_write' or
`close_nowrite' instead). The default is to sort
descending by `total'.
Статус выхода (Exit)
0 The program executed successfully.
1 An error occurred in execution of the program.
События (Events)
The following events are valid for use with the -e option:
access A watched file or a file within a watched directory was
read from.
modify A watched file or a file within a watched directory was
written to.
attrib The metadata of a watched file or a file within a watched
directory was modified. This includes timestamps, file
permissions, extended attributes etc.
close_write
A watched file or a file within a watched directory was
closed, after being opened in writeable mode. This does
not necessarily imply the file was written to.
close_nowrite
A watched file or a file within a watched directory was
closed, after being opened in read-only mode.
close A watched file or a file within a watched directory was
closed, regardless of how it was opened. Note that this
is actually implemented simply by listening for both
close_write and close_nowrite, hence all close events
received will be output as one of these, not CLOSE.
open A watched file or a file within a watched directory was
opened.
moved_to
A file or directory was moved into a watched directory.
This event occurs even if the file is simply moved from
and to the same directory.
moved_from
A file or directory was moved from a watched directory.
This event occurs even if the file is simply moved from
and to the same directory.
move A file or directory was moved from or to a watched
directory. Note that this is actually implemented simply
by listening for both moved_to and moved_from, hence all
close events received will be output as one or both of
these, not MOVE.
move_self
A watched file or directory was moved. After this event,
the file or directory is no longer being watched.
create A file or directory was created within a watched
directory.
delete A file or directory within a watched directory was
deleted.
delete_self
A watched file or directory was deleted. After this event
the file or directory is no longer being watched. Note
that this event can occur even if it is not explicitly
being listened for.
unmount
The filesystem on which a watched file or directory
resides was unmounted. After this event the file or
directory is no longer being watched. Note that this
event can occur even if it is not explicitly being
listened to.
fsnotifywatch
The following additional options are available:
-I, --inotify
Watch using inotify.
-F, --fanotify
Watch using fanotify (default). fanotify support for
reporting events with inotify compatible information was
added in kernel v5.9. With older kernels the command will
fail. As of kernel v5.12, fanotify requires admin
privileges.
-S, --filesystem
Watch entire filesystem of any directories passed as
arguments using fanotify.
Примеры (Examples)
Watching the `~/.beagle' directory for 60 seconds:
% inotifywatch -v -e access -e modify -t 60 -r ~/.beagle
Establishing watches...
Setting up watch(es) on /home/rohan/.beagle
OK, /home/rohan/.beagle is now being watched.
Total of 302 watches.
Finished establishing watches, now collecting statistics.
Will listen for events for 60 seconds.
total access modify filename
1436 1074 362 /home/rohan/.beagle/Indexes/FileSystemIndex/PrimaryIndex/
1323 1053 270 /home/rohan/.beagle/Indexes/FileSystemIndex/SecondaryIndex/
303 116 187 /home/rohan/.beagle/Indexes/KMailIndex/PrimaryIndex/
261 74 187 /home/rohan/.beagle/TextCache/
206 0 206 /home/rohan/.beagle/Log/
42 0 42 /home/rohan/.beagle/Indexes/FileSystemIndex/Locks/
18 6 12 /home/rohan/.beagle/Indexes/FileSystemIndex/
12 0 12 /home/rohan/.beagle/Indexes/KMailIndex/Locks/
3 0 3 /home/rohan/.beagle/TextCache/54/
3 0 3 /home/rohan/.beagle/TextCache/bc/
3 0 3 /home/rohan/.beagle/TextCache/20/
3 0 3 /home/rohan/.beagle/TextCache/62/
2 2 0 /home/rohan/.beagle/Indexes/KMailIndex/SecondaryIndex/
Предостережение (Caveat)
When using inotifywatch, the filename that is outputted is not
guaranteed to be up to date after a move because it is the inode
that is being monitored. Additionally, none of the observed
operations are guaranteed to have been performed on the filename
inotifywatch was instructed to monitor in cases when the file is
known by several names in the filesystem.
Ошибки (баги) (Bugs)
There are race conditions in the recursive directory watching
code which can cause events to be missed if they occur in a
directory immediately after that directory is created. This is
probably not fixable.
It is assumed the inotify event queue will never overflow.
