Monitor File Activities - iWatch
We frequently meet situation, like some files or directories that supposed to secure are having some operations on it, like read, open, close, write etc...
And many times people would like to have a monitoring tool to monitor files activities.
Here’s a solution for this, I got a tool “iWatch”, written in Perl and can also work in Daemon mode.
This tool can be used as to monitor/detect unwanted manipulation on file system and report it to system admins.
For installation this tool requires:
· Linux kernel Version >= 2.6.13
· Perl modules
§ Linux::Inotify2
§ Event
§ Mail::Sendmail
§ XML::Simple
These below are the syntax used by the iwatch:
In the daemon mode, iWatch has following options:
Usage: iwatch [-d] [-f ] [-v] [-p ]
-d Execute the application as daemon.
-f
Specify an alternate xml configuration file.
-p
Specify an alternate pid file (default: /var/run/iwatch.pid)
-v Verbose mode.
And in the command line mode:
Usage: iwatch [-c command] [-C charset] [-e event[,event[,..]]] [-h|--help] [-m ]
[-r] [-s <on|off>] [-t ] [-v] [--version] [-x exception]
[-X ]
Target is the directory or file you want to monitor.
-c command
Specify a command to be executed if an event occurs. And you can use
following special string format in the command:
%c Event cookie number
%e Event name
%f Full path of the filename that gets an event.
%F The old filename in case moved_to event.
%p Program name (iWatch)
%v Version number
-C charset
Specify the charset (default is utf-8)
-e event[,event[,..]]
Specify a list of events you want to watch. Following are the possible events you can use:
access : file was accessed
modify : file was modified
attrib : file attributes changed
close_write : file closed, after being opened in writeable mode
close_nowrite : file closed, after being opened in read-only mode
close : file closed, regardless of read/write mode
open : file was opened
moved_from : File was moved away from.
moved_to : File was moved to.
move : a file/dir within watched directory was moved
create : a file was created within watched directory
delete : a file was deleted within watched directory
delete_self : the watched file was deleted
unmount : file system on which watched file exists was unmounted
q_overflow : Event queued overflowed
ignored : File was ignored
isdir : event occurred against dir
oneshot : only send event once
all_events : All events
default : close_write, create, delete, move, delete_self and move_self.
-h, --help
Print this help.
-m
Specify the contact point's email address.
-r Recursivity of the watched directory.
-s <on|off>
Enable or disable reports to the syslog (default is off/disabled)
-t
Specify a filter string (regex) to compare with the filename or directory name.
-v verbose mode.
--version
Print the version number.
-x exception
Specify the file or directory which should not be watched.
-X
Specify a regex string as exception
And I have used this combination to monitor a Directory (in Recursive mode)
Command:
# iwatch -r -e access,modify -c "ls -lht %f | awk '{print \$3}'|xargs echo '%f was changed by user'" >> /tmp/watched_files.txt -X /home/user1/error/ /home/user1 –d
OUTPUT in watched_files.txt
[ 7/Sep/2010 14:26:59] IN_ACCESS /home/user1/button.php
/home/user1/fbutton.php was changed by user webuser
[ 7/Sep/2010 14:27:09] IN_MODIFY /home/user1/button.php
/home/user1/fbutton.php was changed by user webuser
[ 7/Sep/2010 14:27:10] IN_MODIFY /home/user1/button.php
/home/user1/fbutton.php was changed by user webuser
And at the end, you can set a cron, to send mail to system administrator.
(I am setting cron that will run at 11:55 and send mails)
55 23 * * * /bin/mail -s "Watched Files Activities for DAY `date +%d-%m-%Y`" "delhi.manish@gmail.com" < /tmp/watched_files.txt
nice work manish
ReplyDeleteGood find Manish
ReplyDeleteHave you tried strace?
ReplyDelete@sidharth
ReplyDeletei think.. strace need the PID to work on and have different functionality.
I am facing the problem in executed
ReplyDeleteCan't locate XML/SimpleObject/LibXML.pm in @INC (@INC contains: /usr/local/lib/perl5 /usr/local/share/perl5 /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5 /usr/share/perl5) at ./iwatch line 19.
BEGIN failed--compilation aborted at ./iwatch line 19
plz help me.........
You also need to install XML::SimpleObject and when running your iwatch command I get this error:
ReplyDeleteOptions [d|f|p] and [c|e|m|r|s|w|x] are mutually exlusive, you can't mix it!
OK, the last error was my fault. I deleted the -X you put in there and the target at the same time on accident. Duh!
ReplyDeleteAnyways, got it working now but how can I exclude any new directories? I just want to monitor new files only. Any ideas?
You have to specify using -X directory.... using regex...
ReplyDeleteI'm getting the same as well... CentOS 6.3. Were you able to resolve this?
ReplyDeleteMatt has already answered this.... install
ReplyDeleteXML::SimpleObject
perl -MCPAN -e 'install XML::SimpleObject'
Thanks Matt and Manish. I somehow got it to work. Unfortunately, I didn't document everything that I downloaded and installed.
ReplyDeleteI found this posting after I had already started the install using other posts as a guide. I will set up a new VM and try this post's instructions.
Thanks again