34

I would like to see what's happening in my app server folders, i.e. which files are changed by process x or which *.war files have been changed (replaced/created) in the last x minutes.

Is there a tool in Linux to help with this?

Zanna
  • 3,571
Martin V.
  • 585
  • Hello try to take a look this guide to set up auditd to monitor directories and files http://xmodulo.com/how-to-monitor-file-access-on-linux.html – Sifungurux Feb 23 '15 at 19:20
  • 2
    I got to this question via Google search, but I found my answer here: https://unix.stackexchange.com/questions/18844/list-the-files-accessed-by-a-program/34175#34175 – Quentin Skousen Jun 07 '16 at 20:58
  • 1
    Take a look at SystemTap. http://uselessuseofcat.com/?p=281 – steve Jun 17 '18 at 19:00

5 Answers5

17

Strace (as outlined above) is one way to check the actions of a specified running software.

Some command like watch find dir/ -mmin 1 may also help to check for changes of the past minute in some directory.

Depending on what exactly you're looking for, inotify-tools is probably another tool of trade here.

For example, inotifywait -mr dir/ monitors changes in the given directory and instantly gives you feedback of any application trying to open/read/write/close a file. However, inotify doesn't give you feedback on which application or process is accessing the file - that's something strace does do.

Please do know system-level monitoring is usually of limited use for java software running in some application container environment, as you only do see the container (e.g. Tomcat), but not the actual application (e.g. .war)) interacting with the system.

knoepfchendruecker
  • 316
12

Depending on your exact needs, you might want to look into inotify and/or FAM/GAMIN solutions.

peterph
  • 30,838
11

You can get information about which files accessed by process by lsof:

 lsof -n -p `pidof your_app`

And vice verse, you can get pid of process that write/read to some file:

 lsof -n -t file
trankvilezator
  • 111
8

You could use strace to monitor all system-calls of a process, which includes all file access.

When starting a program:

$ strace ./myserver

you can also attach strace to a running process via it's PID:

$ ps aux | grep myserver
me      1859  0.0  0.0  25288   424 ?        Ss   Sep02   0:00 myserver
$ strace -p 1859
umläute
  • 6,472
  • would be great to monitor also by folder not by PID, thank you. btw strace -p PID works for me in Ubuntu. – Martin V. Sep 23 '13 at 13:27
1

watch find dir/ -mmin 1 did not work for me, what did was simply copy and diff:

cp -r dir /tmp/olddir
# initialize/whatever
diff -r dir /tmp/olddir

It's quite resource-intensive, but it shows all changes between the snapshot and diff time.

serv-inc
  • 650