How do I log file system read/writes by filename in Linux?
I'm looking for a simple method that will log file system operations. It should display the name of the file being accessed or modified.
I'm familiar with powertop, and it appears this works to an extent, in so much that it show the user files that were written to. Is there any other utilities that support this feature.
Some of my findings:
powertop: best for write access logging, but more focused on CPU activity
iotop: shows real time disk access by process, but not file name
lsof: shows the open files per process, but not real time file access
iostat: shows the real time I/O performance of disk/arrays but does not indicate file or process
Solution 1:
So far iotop is the best overall solution. The following command gives you a real-time output of all the processes using the disk.
iotop -bktoqqq -d .5
where: -b is batch mode
-k is kilobytes/s
-t adds timestamp
-o only show processes or threads actually doing I/O
-qqq removes output headers
-d .5 updates every .5 seconds
Evenutaly you will notice that process will be accessing the disk. The simple way to investigate is to stop the process, and start it with strace. For example:
sudo strace -f nmbd -D
This will show you syscalls of the file system access.
Another option is inotify(7), where many distributions provide "inotify-tools" so you can watch a path via
inotifywait -r -mpath_you_want_to_watch
Solution 2:
Another option is http://linux.die.net/man/7/inotify where many distributions provide "inotify-tools" so you can watch a path via
inotifywait -r -m /<path you want to watch>
Solution 3:
I recently came across fatrace which uses fanotify. Works beautiful so I figured I would share. It does log all types of file operations including open/create/modify to stdout or optionally a file and you can even filter as to get only some types of operations. By default it monitors all mounts except the virtual ones. The author himself explains it well here.