Linux efficient file system event monitoring kernel-level resolution scheme Inotify__linux

Install Inotify-tools (http://inotify-tools.sourceforge.net) Download Source pack

wget http://github.com/downloads/rvoicilas/inotify-tools/inotify-tools-3.14.tar.gz
Tar zxvf inotify-tools-3.14.tar.gz
cd inotify-tools-3.14
./configure--prefix=/usr && make && su-c ' Make install '

Some other related software recommended Https://github.com/rvoicilas/inotify-tools/wiki#related-software

This error "/usr/local/bin/inotifywait:error while loading shared libraries:libinotifytools.so.0" can be resolved using the following methods:

ln-sv/usr/local/lib/libinotify*/usr/lib/
ln-s/usr/local/lib/libinotifytools.so.0/usr/lib64/ libinotifytools.so.0
cp/usr/lib/libinotifytools.so.0/usr/local/lib/

INotify error upper limit on INotify watches reached
The above error occurs when inotify is monitored on a large disk
Cat this file, the default value is 8192,echo 8192000 >/proc/sys/fs/inotify/max_user_watches can ~

Inotify file system events that can be monitored
In_access: That is, files are accessed
In_modify: File is write
In_attrib: File attributes are modified, such as chmod, chown, touch, etc.
In_close_write: Writable file is close
In_close_nowrite: Cannot write file is close
In_open: File is OPEN
In_moved_from: Files are removed, such as MV
In_moved_to: Files are moved, such as MV, CP
In_create: Create a new file
In_delete: Files are deleted, such as RM
In_delete_self: From Delete, that is, an executable file deletes itself at execution time
In_move_self: Self-moving, that is, an executable file that moves itself at execution time
In_unmount: Host file system is Umount
In_close: File is closed, equivalent to (In_close_write | In_close_nowrite)
In_move: Files are moved, equivalent to (In_moved_from | IN_MOVED_TO)

Note: The file mentioned above also includes a catalogue

INotify Kernel version Support
Starting with kernel 2.6.13, INotify formally merged into the kernel, RHEL5 has been supported.
See if there is a/proc/sys/fs/inotify/directory to determine if the kernel supports inotify

#ls-L/proc/sys/fs/inotify/Total
0
-rw-r--r--1 root 0 Oct  9 09:36 max_queued_events
-rw-r--r--1 R Oot Root 0 Oct  9 09:36 max_user_instances
-rw-r--r--1 root 0 Oct  9 09:36 max_user_watches

Default kernel parameters for INotify
/proc/sys/fs/inotify/max_queued_events Default value: 16384 The value in this file is the maximum value allocated to the number of event queues that can be queued in the INotify instance when the Inotify_init is invoked. Beyond this worthy event is discarded, but triggers the In_q_overflow event
/proc/sys/fs/inotify/max_user_instances Default Value: 128 Specifies the maximum number of inotify instatnces that can be created by each real user ID
/proc/sys/fs/inotify/max_user_watches Default value: 8192 specifies the upper bound of each inotify instance associated watches
Note: max_queued_events is the maximum length of the Inotify managed queue, and the more frequently the file system changes, the greater the value should be.
If you see the event Queue Overflow in the log, it means that max_queued_events is too small to be used again after adjusting the parameters.

Inotifywait only performs blocking and waits for inotify events. You can monitor any set of files and directories, or monitor the entire directory tree (directories, subdirectories, subdirectories of subdirectories, and so on)
Use inotifywait in the shell script.
Inotifywatch collects statistics about the file systems being monitored, including how many times each inotify event occurs.

Shell Script Example

vi/tmp/test.sh
#!/bin/bash
inotifywait-mrq--timefmt '%d/%m/%y%h:%m '--format '%T%w%f the%e '--event modify  , Delete,create,attrib  /home/admin | While the read  date time file event did
      $event in
              modify| create| move| modify,isdir| create,isdir| Modify,isdir)
                      echo $event '-' $file
                  ;;
      
              Moved_from| moved_from,isdir| delete| Delete,isdir)
                      echo $event '-' $file
                  ;;
          Esac done
      

Execute script, result output (here test deletes a directory rm-fr Cronolog-1.6.2.bak)
/tmp/test.sh
Delete-/home/admin/cronolog-1.6.2.bak/copying

An instance of my own use

C language version

#include <unistd.h> #include <sys/inotify.h> #include <stdio.h> #include <error.h> #include        <errno.h> #include <string.h> #define Error (Text) error (1, errno, "%s", text) struct Eventmask {int
	Flag

const char *name;

};
	int freadsome (void *dest, size_t remain, FILE *file) {char *offset = (char*) dest;
		while (remain) {int n = fread (offset, 1, remain, file);
		if (n==0) {return-1;
		} remain = n;
	offset = n;
return 0;
	int main (int argc, char *argv[]) {const char *target;
	if (argc = = 1) {target = ".";
	else {target = argv[1]; } eventmask event_masks[] = {in_access, "in_access"}, {in_attrib, "in_ ATTRIB "}, {in_close_write," In_close_write "}, {in_close_nowrite," In_close_nowrit  
           E "}, {in_create," in_create "}, {in_delete," In_delete "}, {In_delete_seLF, "In_delete_self"}, {in_modify, "in_modify"}, {in_move_self, "in_m      Ove_self "}, {in_moved_from," In_moved_from "}, {in_moved_to," in_moved_to "}  
           , {in_open, "In_open"}, {in_dont_follow, "In_dont_follow"}, {in_excl_unlink, "In_excl_unlink"}, {in_mask_add, "In_mask_add"}, {In_o       Neshot, "In_oneshot"}, {in_onlydir, "In_onlydir"}, {in_ignored , "in_ignored"}, {in_isdir, "In_isdir"}, {In_q_overflow, "In_q_ov

	Erflow "}, {in_unmount," In_unmount "},};
	int monitor = Inotify_init ();
	if (-1 = monitor) {ERROR ("monitor");
	int watcher = Inotify_add_watch (monitor, Target, in_all_events); if (-1 = Watcher) {ERROR ("Inotify_add_wAtch ");
	} FILE *monitor_file = Fdopen (monitor, "R");
	Char last_name[1024];

	Char name[1024];
		/* event:inotify_event-> Name:char[event.len] */while (true) {Inotify_event event;
		if (-1 = = Freadsome (&event, sizeof (event), Monitor_file)) {ERROR ("freadsome");
		} if (Event.len) {freadsome (name, Event.len, Monitor_file);
		else {sprintf (name, "FD:%d\n", EVENT.WD);
			} if (strcmp (name, last_name)!= 0) {puts (name);
		strcpy (last_name, name); }/* Displays the meaning of the event's Mask * * for (int i=0 i<sizeof (event_masks)/sizeof (eventmask); ++i) {if event.mask & even
			T_masks[i].flag) {printf ("\t%s\n", event_masks[i].name);
}} return 0; }

INotify Related parameters:
/proc/sys/fs/inotify/max_queued_events #请求events数的最大值
/proc/sys/fs/inotify/max_user_instances #每个user可创建的instances数量上限
/proc/sys/fs/inotify/max_user_watches #可监控的目录最大数

Common parameters:
--TIMEFMT Time Format
%y years%m months%d days%h hours%m minutes
--format output format
%t time%w path%f filename%e status
-M always maintains the listening state, and the default triggering event exits.
-R Recursive Query directory
-Q Print Out monitoring events
-e defines the monitored events, available parameters:
Open File Attrb Property change

Access file read

Modify file changes.

Attrib file attribute changes, such as permissions, timestamps, and so on.

Close_write files opened in writable mode are closed, and does not necessarily mean that the file has been written to data.

Close_nowrite files opened in read-only mode are closed.

The close file is closed, regardless of how it is opened.

The open file opens.

Moved_to a file or directory is moved to the listening directory, even if it is moved within the same directory, this event is triggered.

Moved_from a file or directory to move out of the listening directory, even if it is moved within the same directory, this event is also triggered.

Move includes moved_to and Moved_from

The move_self file or directory is removed and no longer listens to the file or directory.

Create file or directory creation

Delete file or directory deletion

delete_self files or directories, and then no longer listens to this file or directory

The Unmount file system is not mounted, and the file system is no longer listening.
Example: Inotifywait-mrq-e modify,create--timefmt '%y-%m-%d%h:%m:%s '--format '%T%f%e '%w

Inotify-tools provides two tools, one is inotifywait, it is used to monitor file or directory changes, and the second is Inotifywatch, it is used to count the number of file system visits

Inotifywatch

1, statistics of/home file system events

Inotifywatch-v-E access-e modify-t 60-r/home

inotifywait parameter Description

Grammar:

inotifywait [-HCMRQ] [-e] [-t] [--format] [--timefmt] [...]

Parameters:

-h,–help

Output Help information

@

Exclude files that you do not need to monitor, either as a relative path or as an absolute path.

–fromfile

Read files or excluded files that need to be monitored from the file, one line of files, and the excluded files begin with @.

-m,–monitor

Receive one thing without quitting, execute indefinitely. The default behavior is to exit immediately after receiving a thing.

-d,–daemon

As with –monitor, in addition to running in the background, you need to specify –outfile to output things to a file. Also means the use of –syslog.

-o,–outfile

Output things to a file rather than standard output.

-s,–syslog

Output error message to System log

-r,–recursive

Monitors all subdirectories in a directory.

-q,–quiet

Once specified, the details are not output, specified two times, and no information is output except for fatal errors.

–exclude

Regular matching files that need to be excluded are case sensitive.

–excludei

Matches the file that needs to be excluded, ignoring the case.

-T, –timeout

Sets the timeout period, and if 0, executes indefinitely.

-E, –event

Specifies the monitored event.