Monitoring file or directory changes

Many modern systems provide a way to watch a directory for events (new files, reading the directory, modification of a file in the directory, etc.). This facility can be done in various ways, from providing hooks in the filesystem code itself to something that watches for inode changes. Linux and BSD have several possibilities in that regard, including dnotify ( replaced by inotify), changedfiles, watch, Gamin and fam.

Mac OS X has FileMonitor (shareware), FSEvents and it's certainly possible that some of the BSD tools might compile on OS X. But what do you do when there is no support in the OS?


Brute Force

Typically you are interested in new files in a particular directory. You can do something like this:

touch /tmp/testdirb.$$
while true
do
ls /testdir > /tmp/testdira.$$
diff /tmp/testdira.$$ /tmp/testdirb.$$ || echo "changed"
cp /tmp/testdira.$$ /tmp/testdirb.$$
sleep 300
done
 

If you were looking for a particular file to change, you'd use "ls -l", and if your interest was in if the file was being used or executed, "ls -lut" would give you that. This example justs echoes when something changes, but you would more likely call some other script that did more testing. One obvious issue that comes up if a file has been created is waiting for the creating program to have finished up: lsof or fuser can help you with that.

But this is all pretty crude. Sometimes crude is fine, but if you need to know more often, there's a fair amount of overhead in this that you really don't need.

If it is just one file, and your interest is additions to it, the mailchecking utility in your shell can give you alerts. For example, in Linux bash:

MAIL=/tmp/watchthis
MAILCHECK=10
 

You can watch multiple files, each with its own message, by using MAILPATH instead of MAIL. You need to "unset MAIL", and set and export MAILPATH:

unset MAIL
MAILPATH='/tmp/foo/h?"H is changed":/tmp/foo/a?"A has changed"'
export MAILPATH
 

Stat

Linux systems have a command line "stat" that can make checking changes a little less intensive. "stat -t testdir" looks something like this:

testdir 4096 8 41ed 5001 5001 303 82022 2 2b 1d 1070127877 1070128608 1070128608
 

which is everything you want to know about the file or directory for this purpose. Security Enhanced Linux versions add another field which we need to strip out for our purposes here:

OLD=`stat -t testdir`
# OLD=`stat -t testdir | sed 's/[0-9][0-9]*$//'`  # if SE linux stat
while true
do
NEW=`stat -t testdir`
# NEW=`stat -t testdir | sed 's/[0-9][0-9]*$//'`  if SE linux stat
[ "$NEW" == "$OLD" ] || echo "changed!"
sleep 3
done
 

You could get fancier by splitting out the fields into separate variables. That isn't a lot of fun at the shell level, so we'll move up a notch.

Perl or C

From Perl or C (and of course many other languages), you can get access to the stat information a bit more easily. Here's a simple Perl example like those already given:

#!/usr/bin/perl
@info=stat("testdir") or die "Can't stat testdir $!";
while (1) {
@newinfo=stat("testdir") or die "Can't stat testdir $!";
@what=qw(Device Inum Mode Links Owner Group Rdev Size Atime Mtime Ctime PBlock Blocks);
$x=0;
while ($info[$x]) {
  system("/bin/echo $what[$x] $info[$x] $newinfo[$x]") if ($info[$x] ne $newinfo[$x]);
  $x++;
}
@[email protected];
sleep 1;
}
 

Front-end it

If your interest is when users use some particular application to change a file, you can "front-end" the app - that is, put a script of the same name ahead of the realapp in $PATH. Your script collects whatever it needs to know (which might include who and when and file meta info as well as a "sum"), calls the real app and finishes up with doing whatever you want - check to see if the file(s) changed, back things up, write a log, whatever.

who am i >> /tmp/mylog 
echo "call script" 
date >> /tmp/mylog 
/pathtorealscript/fileupdate 
date >> /tmp/mylog 
echo "update done" >> /tmp/mylog
 


Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Monitoring file or directory changes


8 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Tony Lawrence




---November 23, 2004



---December 1, 2004



---January 4, 2005

The while loop fails to detect a change if one of the values of $info is 0. The while loop should be something liket this so that the whole array is checked:

while (scalar(@info) > $x) { }

---January 11, 2005

Bajs





Wed Feb 24 06:54:22 2010: 8128   noan

gravatar


may i copied and linked your article to my blog?





Wed Feb 24 11:50:32 2010: 8130   TonyLawrence

gravatar


Yes - if it is correctly attributed back here, you may. Please let me know where you have put it.



Thu Feb 25 01:14:43 2010: 8134   Rizki

gravatar


This is the link to my blog that copied your article
(link)



Thu Feb 25 01:20:12 2010: 8135   TonyLawrence

gravatar


Thanks!



Thu Feb 25 01:24:31 2010: 8136   TonyLawrence

gravatar


I'm sorry, though: you didn't do it quite right.

See
(link)

It needs to say that my post is Copyright Anthony Lawrence at
(link)

Other than that, it's fine.



Wed Apr 11 13:09:22 2012: 10843   Sergey

gravatar


in Stat example you forgot to reset the $OLD variable, I believe it should look like so:
[ "$NEW" == "$OLD" ] || { echo "changed!"; OLD=$NEW; }
instead of
[ "$NEW" == "$OLD" ] || echo "changed!"

good post, thanks!



Wed Apr 11 13:21:50 2012: 10844   TonyLawrence

gravatar


Oops - yes, that's needed..



Fri Feb 1 13:29:06 2013: 11846   anonymous

gravatar


&& OLD=$NEW after the echo will reset OLD and changed! is only printed once:

#!/bin/sh
OLD=`stat -t /home`
while true
do
NEW=`stat -t /home`
[ "$NEW" == "$OLD" ] || echo "changed!" && OLD=$NEW
sleep 3
done




------------------------
Kerio Samepage


Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us