7

i know there's a fuser command that lists out pids of processes, but how do you continuously monitor what process accessed the file? (think behavior similar to tail -f filename)

say there's a process which writes to a file and releases the handle at some interval, so it's hard to catch that process using fuser.

the1plummie
  • 750
  • 2
  • 10
  • 21
  • Please check http://linux.die.net/man/7/inotify – Jayan Jul 21 '12 at 06:23
  • How (non-)intrusive and (non-)interactive do you need/can afford this to be? @cravoori's polling could work if the interval you mention is long enough; replacing the file with a named pipe and saturating its buffer will block all writers so you can identify them at leisure but may not be the kind of solution you're looking for; finally, you can define your own Linux [kernel tracepoints](http://netsplit.com/2011/03/07/tracing-on-linux/) to trace which process opened a particular file for writing. – vladr Jul 21 '12 at 06:24

2 Answers2

1

you could watch to execute commands at periodic intervals. Watch also supports a differences flag for purposes of highlighting differences on consecutive runs 

watch -n 5  'fuser file_name'
iruvar
  • 22,736
  • 7
  • 53
  • 82
  • not really working for me... the writes to the file are pretty brief and using watch didn't catch it (tried watch -n 1 as well) – the1plummie Jul 25 '12 at 19:00
0

You could use inotifywatch, assuming you are on a Linux.

This command will print all access and modifies on a file for 60 seconds, then prints out stats.

inotifywatch -v -e access -e modify -t 60 filename

You can get inotifywatch's source as https://github.com/rvoicilas/inotify-tools/wiki

Office Zombie
  • 66
  • 6
  • 3
    This will show the number of accesses / modifications, but is there a way to find out *which process* accessed / modified the file? – aioobe Aug 28 '15 at 14:24