Monitoring Filesystem Events with incron on RHEL 6

Have you ever wanted to know when a file is changed or accessed by the system or user? There is a program that does just that task called Inotify cron (incron).

Incron is for monitoring filesystem activity. It consists of a daemon and a table manipulator. You can use it a similar way as the regular cron. The difference is that the inotify cron handles filesystem events rather than time periods

incron provides a simple way how to solve many and many various situations. Every time when something depends on file system events, it’s a job for incron.

Here you can see a few examples where incron is a good solution:

  •     Notifying programs (e.g. server daemons) about changes in configuration
  •     Guarding changes in critical files (with their eventual recovery)
  •     File usage monitoring, statistics

First we will need to install incron:

$ sudo yum install incron

Make sure we set it to start on reboot:

$ sudo chkconfig incrond on

And now to start incron:

$ sudo service incrond start

incrond uses inotify. So to use it effectively we need to have it act on inotify events which are:

IN_ACCESS         File was accessed (read) (*).
 IN_ATTRIB         Metadata  changed,  e.g.,  permissions,  timestamps, extended attributes, link count (since Linux 2.6.25), UID, GID, etc. (*).
 IN_CLOSE_WRITE    File opened for writing was closed (*).
 IN_CLOSE_NOWRITE  File not opened for writing was closed (*).
 IN_CREATE         File/directory created in watched directory (*).
 IN_DELETE         File/directory deleted from watched directory (*).
 IN_DELETE_SELF    Watched file/directory was itself deleted.
 IN_MODIFY         File was modified (*).
 IN_MOVE_SELF      Watched file/directory was itself moved.
 IN_MOVED_FROM     File moved out of watched directory (*).
 IN_MOVED_TO       File moved into watched directory (*).
 IN_OPEN           File was opened (*).

The incron table manipulator may be run under any regular user since it SUIDs. For manipulation with the tables use basically the same syntax as for the crontab program. You can import a table, remove and edit the current table.

The user table rows have the following syntax (use one or more spaces between elements):

<path> <mask> <command>


<path> is a filesystem path (each whitespace must be prepended by a backslash)
<mask> is a symbolic or numeric mask for events (see man inotify for more details)
<command> is an application or script to run on the events

The command may contain these wildcards:

$$ - a dollar sign
 $@ - the watched filesystem path (see above)
 $# - the event-related file name
 $% - the event flags (textually)
 $& - the event flags (numerically)

Now with all that information, what can I do? Say you want to be notified each time /etc/hosts is modified and email us. Open incrontab make sure you are root for this example:

# incrontab -e

/etc/hosts IN_MODIFY mailx -s "Hosts file Has Been modified" < /dev/null

Save the changes and open /etc/hosts and make a change and you should receive an email in your inbox.

At this point we have covered just the basics of what is possible with incron. Experiment with incron and see what other items you can monitor and what other commands you can execute on filesystem actions.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.