2

I am writing a program to monitor the file system. But I'm not able to detect when a file is deleted. I tried monitoring with FAN_MARK_ONLYDIR flag hoping fanotify rise some event when deleting a file in a monitored dir, no results.

It is even possible do this using fanotify? There are something to help me to do this?

Raydel Miranda
  • 13,825
  • 3
  • 38
  • 60

2 Answers2

3

According to a linuxquestions.org thread fanotify doesn't detect file replacement or deletion or subdirectory creation, renaming, or deletion. Also see baach.de discussion, which compares (or mentions) inotify, dnotify, fam, Fanotify, tripwire, Python-fuse, and llfuse (python) among other file or directory change monitors.

inotify supports IN_DELETE and IN_DELETE_SELF events and if you are working with a limited number of directories, rather than an entire filesystem, is practical to use.

Edit: Among inotify limitations or caveats mentioned in its webpage are the following:

inotify monitoring of directories is not recursive: to monitor subdirectories under a directory, additional watches must be created. This can take a significant amount time for large directory trees. ... If monitoring an entire directory subtree, and a new subdirectory is created in that tree, be aware that by the time you create a watch for the new subdirectory, new files may already have been created in the subdirectory. Therefore, you may want to scan the contents of the subdirectory immediately after adding the watch.

James Waldby - jwpat7
  • 8,593
  • 2
  • 22
  • 37
  • I'm working with the entire filesystem, but I'll check IN_DELETE and IN_DELETE_SELF from inotify anyway. Why you think would not be practical use it for the entire filesystem? I would like to read your opinion. – Raydel Miranda Dec 17 '13 at 17:44
  • @RaydelMiranda, it probably is ok with a small filesystem, or if you can do a gradual startup, but as noted in man page (see edit) and in the baach.de discussion, setting up watches for all the subdirectories can take a while. – James Waldby - jwpat7 Dec 17 '13 at 17:52
  • I did not use inotify from the beginning because it can't monitor a directory recursively. fanotify does, but only when working on a mount point. See: http://stackoverflow.com/questions/19528432/fanotify-recursivity-does-really-works/19543049#19543049 – Raydel Miranda Dec 17 '13 at 17:59
0

You can do it when monitoring an entire filesystem by using:

fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_FILESYSTEM, FAN_DELETE, AT_FDCWD, "/")

Jonathan
  • 1,007
  • 16
  • 12