Monitoring file system activity in real-time is crucial for system administrators, developers, and DevOps engineers. Whether you’re troubleshooting an issue, auditing system behavior, or simply tracking changes to a specific directory, inotifywait is a powerful and lightweight tool to achieve this.
In this blog, I’ll guide you through setting up and using inotifywait on a RHEL/Rocky Linux-based system. We’ll also explore practical examples to monitor disk-level changes in real-time.
Step 1: Installing inotify-tools
To use inotifywait, you need to install the inotify-tools package. Follow these steps:
Command:
[root@siddhesh ~]# dnf install -y inotify-tools
Expected Output:
# Last metadata expiration check: 0:05:12 ago on Mon Jan 11 10:00:00 2025.
# Dependencies resolved.
===================================================================
Package Arch Version Repository
===================================================================
Installing:
inotify-tools x86_64 3.20.1.1-1.el8 epel
Transaction Summary
===================================================================
Install 1 Package
Total download size: 68 k
Installed size: 192 k
...
Complete!
Step 2: Understanding inotifywait
inotifywait is part of the inotify-tools package. It uses the Linux kernel's inotify API to monitor file system events such as file creation, modification, deletion, and access.
Commonly Monitored Events:
create: Detects when a file or directory is created.
modify: Detects changes to file contents.
delete: Detects when a file or directory is deleted.
access: Detects when a file is read.
move: Detects when a file or directory is moved.
Step 3: Monitoring a Directory in Real-Time
Let’s create a script to monitor a directory for file-level changes.
Script Example:
#!/bin/bash
MONITORED_DIR="/home/builddevops/"
LOG_FILE="/var/log/builddevops_changes.log"
if [ ! -d "$MONITORED_DIR" ]; then
echo "Directory $MONITORED_DIR does not exist. Exiting."
exit 1
fi
echo "Monitoring $MONITORED_DIR for changes..."
inotifywait -m -r \
-e create -e modify -e delete -e move \
"$MONITORED_DIR" | while read -r event; do
echo "$(date '+%Y-%m-%d %H:%M:%S') - $event" >> "$LOG_FILE"
doneHow It Works:
inotifywait -m -r: The -m flag makes inotifywait run continuously, and the -r flag enables recursive monitoring of subdirectories.
-e create -e modify ...: Specifies the events to monitor.
Logging Events: Each event is appended to a log file with a timestamp.
Run the Script:
Save the script as monitor_iotest.sh, make it executable, and run it:
[root@siddhesh ~]# chmod +x monitor_iotest.sh
[root@siddhesh ~]# ./monitor_iotest.sh
Step 4: Testing Real-Time Monitoring
Scenario 1: Creating a File
[root@siddhesh ~]# touch /home/builddevops/test.txt
Log Output:
2025-01-11 10:30:12 - /home/builddevops/ CREATE test.txt
Scenario 2: Modifying a File
[root@siddhesh ~]# echo "Hello, Builddevops!" >> /home/builddevops/test.txtLog Output:
2025-01-14 10:31:05 - /home/builddevops/ MODIFY test.txt
Scenario 3: Deleting a File
[root@siddhesh ~]# rm /home/builddevops/test.txt
Log Output:
2025-01-14 10:32:18 - /home/builddevops/ DELETE test.txt
Step 5: Additional Options
Monitor Access Events:
[root@siddhesh ~]# inotifywait -m -e access /home/builddevops/
Use Case: Track when files are being read.
Limit Monitoring to Specific File Types:
[root@siddhesh ~]# inotifywait -m -e create --format "%f" /home/builddevops/ | grep ".log$"
Use Case: Monitor only .log files being created.
Conclusion
inotifywait is an invaluable tool for monitoring file system activity in real-time. With its lightweight nature and easy-to-use syntax, it’s perfect for scenarios like debugging, auditing, and securing your system. By leveraging inotifywait effectively, you can stay on top of changes and ensure your environment runs smoothly.
Comments