Is it possible to log file system events in Windows or Linux? [duplicate]

windows linux file-transfer filesystems file-management

Is it possible to log file system events like copy, modification, deletion and creation of files and folders on a workstation? I primarily use Windows, but I would like to know if this is possible in Linux too. If no such functionality is built-in, is there a commercial product that can offer this functionality?

This is what I would like the log file to include.

Date         Time    User      Action   Type    Source                   Destination
2013-03-12   15:10   Austin    Copy     File    K:\Alabama\Mobile.txt    L:\Mobile.txt
2013-04-15   09:12   Bradley   Create   Folder                           C:\Chicago
2013-04-23   13:45   Cedric    Delete   Folder  G:\Colorado
2013-05-04   16:03   David     Modify   File    D:\Florida\Miami.txt

It might not look exactly like this, but something similar. I would like to know who did what, at what time, where, and to what folder or file. This is a seemingly very simple log but it would be very useful.

Update

The solution suggested in the linked question above says that one should use Group Policy in Microsoft Management Console to enable audit of objects, and then Event Viewer to view the logs.

I enabled audit for my own username on Desktop folder and tried creating a text file. Within the same second that the file was created, it 39 new events were produced in the log! I looked at the clock when I created the file and then filtered the log for events created on that exact second. I then had to look through them one by one to find the event that clearly states the file path and name.

When I tried deleting the file (permanent, not recycling to bin), on that same second 210 events were logged. Who the hell wants to go through all the events to find the right one? To find the exact event I would have to know beforehand that a certain even has occurred. Which makes the whole purpose of this useless. And I would need to know something about the even, i.e. the name of file created or something and try filter that. There are 28000 events stored in the Security log.

For this reason I don't think this is the solution to the problem. Well, it's not a intelligent one anyway. It would be much easier to use a dedicated tool for this. The Security log in Windows logs all kinds of security related events that are completely uninteresting to me.


Solution 1:

Sounds like a job for Process Monitor on Windows, and inotifywait on Linux

Examples:

Here's a screenshot of Process Monitor in action

And here's inotifywait watching for changes to a particular subdirectory:

$ inotifywait -m /tmp/stuffthings/
Setting up watches.  
Watches established.
/tmp/stuffthings/ OPEN,ISDIR 
/tmp/stuffthings/ CLOSE_NOWRITE,CLOSE,ISDIR 
/tmp/stuffthings/ CREATE file.txt
/tmp/stuffthings/ OPEN file.txt
/tmp/stuffthings/ MODIFY file.txt
/tmp/stuffthings/ CLOSE_WRITE,CLOSE file.txt

You can install inotifywait and related programs on Ubuntu like so:

sudo apt-get install inotify-tools

Related

Faulty USB ports, fixes?
Macro to copy as values distinct values from one Excel tab to another
Windows 8 Communication Sound Setting not working [duplicate]
Using built in GPS in windows 8 with precise location? [duplicate]
RPM won't erase its installed directories if they have been modified after the initial installation
Apache2 RewriteRule not working
Excel Power Query integration with Salesforce: The Service Returned an invalid token
Linux installation error related to file system
Does multiple cores in CPU affect how many programs I can run?
Blue Screen Of Death Only After Playing Counter Strike 1.6 [closed]
Processor compatibility and motherboards
not able to ping server or but can RDP