Fatrace: Report system wide file access events
5/Nov 2018
fatrace watches every file on server (except from itself and other kernel file systems).
fatrace watches every file on server (except from itself and other kernel file systems).
Install on Centos7
Download the repo file from fedorainfracloud.org
sudo curl https://copr.fedorainfracloud.org/coprs/ifas/fatrace/repo/epel-7/ifas-fatrace-epel-7.repo > /etc/yum.repos.d/ifas.repo
sudo yum install fatrace -y
Usage
| Option | Description |
|---|---|
| -c, –current-mount | Only record events on partition/mount of current directory. Without this option, all (real) partitions/mount points are being watched. |
| -o FILE, –output=FILE | Write events to given file instead of standard output. |
| -s SECONDS, –seconds=SECONDS | Stop after the given number of seconds. |
| -t, –timestamp | Add timestamp to events. When this option is given once, the format will be a humanreadable |
| -p PID, –ignore-pid=PID | Ignore events for this process ID. Can be specified multiple times. |
Output
The output should look something like the following. My action was reloading this page while watching with fatrace.
$ fatrace -t
12:58:20.859174 pickup(7666): CO /var/spool/postfix/maildrop
12:58:21.017572 caddy(7472): CO /var/www/vhosts/blog/tools/fatrace
12:58:21.017572 caddy(7472): CO /var/www/vhosts/blog/tools/fatrace/index.html
12:58:21.017572 caddy(7472): W /var/log/caddy/blog.log
12:58:21.213908 caddy(7472): CO /var/www/vhosts/blog/index.json
12:58:21.213908 caddy(7472): W /var/log/caddy/blog.log
12:58:21.305848 caddy(7472): RCO /var/www/vhosts/blog/img/favicon.png
12:58:21.305848 caddy(7472): W /var/log/caddy/blog.log
| Letter | Description |
|---|---|
| R | Read |
| W | Write |
| O | Open |
| C | Close |
Action identifiers can be combined
Usecases
identifying which files are accessed by a process.
References
More Reading