Fatrace: Report system wide file access events

fatrace watches every file on server (except from itself and other kernel file systems). fatrace watches every file on server (except from itself and other kernel file systems).

Install on Centos7

Download the repo file from fedorainfracloud.org

sudo curl https://copr.fedorainfracloud.org/coprs/ifas/fatrace/repo/epel-7/ifas-fatrace-epel-7.repo > /etc/yum.repos.d/ifas.repo
sudo yum install fatrace -y

Usage

Option Description
-c, –current-mount Only record events on partition/mount of current directory. Without this option, all (real) partitions/mount points are being watched.
-o FILE, –output=FILE Write events to given file instead of standard output.
-s SECONDS, –seconds=SECONDS Stop after the given number of seconds.
-t, –timestamp Add timestamp to events. When this option is given once, the format will be a humanreadable
-p PID, –ignore-pid=PID Ignore events for this process ID. Can be specified multiple times.

Output

The output should look something like the following. My action was reloading this page while watching with fatrace.

$ fatrace -t
12:58:20.859174 pickup(7666): CO /var/spool/postfix/maildrop
12:58:21.017572 caddy(7472): CO /var/www/vhosts/blog/tools/fatrace
12:58:21.017572 caddy(7472): CO /var/www/vhosts/blog/tools/fatrace/index.html
12:58:21.017572 caddy(7472): W /var/log/caddy/blog.log
12:58:21.213908 caddy(7472): CO /var/www/vhosts/blog/index.json
12:58:21.213908 caddy(7472): W /var/log/caddy/blog.log
12:58:21.305848 caddy(7472): RCO /var/www/vhosts/blog/img/favicon.png
12:58:21.305848 caddy(7472): W /var/log/caddy/blog.log
Letter Description
R Read
W Write
O Open
C Close

Action identifiers can be combined

Usecases

identifying which files are accessed by a process.

References

Manpage fatrace

comments powered by Disqus