I want to find out what file operations (failed and successful) where performed in the last hour on my system. Is there a way to do that?
Asked
Active
Viewed 443 times
2 Answers
0
You can't see a history of file operations unless you have monitored and logged them. There are some ways to do that, like the ptrace() system call or the strace command line utility, or perhaps even DTrace, but if you didn't log the actions, you'll only have the file time stamps to work with.
ketil
- 131
0
This kind of information is not logged by default (that would be a lot of information)!
If you want to see what a particular process is doing, run it under strace (that's the Linux utility, other Unix variants have similar utilities such as truss, dtrace, etc.). By default strace logs all the system calls. You can control what kind of information strace displays; for example the option -efile restricts the logging to system calls that access files.
strace -o myprogram.log -efile myprogram --option
If you want to log accesses to all files in a particular hierarchy, you can use LoggedFS. See Is it possible to find out what program or script created a given file? for a usage example. Don't log the directory where the logs are being written!
A more pervasive logging mechanism is Linux's audit subsystem. It runs as root. See Is it possible to find out what program or script created a given file? for configuration instructions and a usage example. Don't log the directory where the logs are being written!
Gilles 'SO- stop being evil'
- 829,060