Monitoring Filesystem Events with incron on RHEL 6
Have you ever wanted to know when a file is changed or accessed by the system or user? There is a program that does just that task called Inotify cron (incron).
Incron is for monitoring filesystem activity. It consists of a daemon and a table manipulator. You can use it a similar way as the regular cron. The difference is that the inotify cron handles filesystem events rather than time periods
incron provides a simple way how to solve many and many various situations. Every time when something depends on file system events, it’s a job for incron.
Here you can see a few examples where incron is a good solution:
- Notifying programs (e.g. server daemons) about changes in configuration
- Guarding changes in critical files (with their eventual recovery)
- File usage monitoring, statistics
First we will need to install incron:
$ sudo yum install incron
Make sure we set it to start on reboot:
$ sudo chkconfig incrond on
And now to start incron:
$ sudo service incrond start
incrond uses inotify. So to use it effectively we need to have it act on inotify events which are:
IN_ACCESS File was accessed (read) (*). IN_ATTRIB Metadata changed, e.g., permissions, timestamps, extended attributes, link count (since Linux 2.6.25), UID, GID, etc. (*). IN_CLOSE_WRITE File opened for writing was closed (*). IN_CLOSE_NOWRITE File not opened for writing was closed (*). IN_CREATE File/directory created in watched directory (*). IN_DELETE File/directory deleted from watched directory (*). IN_DELETE_SELF Watched file/directory was itself deleted. IN_MODIFY File was modified (*). IN_MOVE_SELF Watched file/directory was itself moved. IN_MOVED_FROM File moved out of watched directory (*). IN_MOVED_TO File moved into watched directory (*). IN_OPEN File was opened (*).
The incron table manipulator may be run under any regular user since it SUIDs. For manipulation with the tables use basically the same syntax as for the crontab program. You can import a table, remove and edit the current table.
The user table rows have the following syntax (use one or more spaces between elements):
<path> <mask> <command>
Where?
<path> is a filesystem path (each whitespace must be prepended by a backslash)
<mask> is a symbolic or numeric mask for events (see man inotify for more details)
<command> is an application or script to run on the events
The command may contain these wildcards:
$$ - a dollar sign $@ - the watched filesystem path (see above) $# - the event-related file name $% - the event flags (textually) $& - the event flags (numerically)
Now with all that information, what can I do? Say you want to be notified each time /etc/hosts is modified and email us. Open incrontab make sure you are root for this example:
# incrontab -e /etc/hosts IN_MODIFY mailx -s "Hosts file Has Been modified" mymail@mymail.com < /dev/null
Save the changes and open /etc/hosts and make a change and you should receive an email in your inbox.
At this point we have covered just the basics of what is possible with incron. Experiment with incron and see what other items you can monitor and what other commands you can execute on filesystem actions.
Leave a Reply