inotifywatch - Man Page

gather filesystem access statistics using inotify or fanotify

Synopsis

inotifywatch [-hvzrPqf] [-e <event> ] [-t <seconds> ] [-a <event> ] [-d <event> ] <file> [ ... ]

fsnotifywatch [-hvzrPqfIFS] [-e <event> ] [-t <seconds> ] [-a <event> ] [-d <event> ] <file> [ ... ]

Description

inotifywatch listens for filesystem events using Linux's inotify(7) interface, then outputs a summary count of the events received on each file or directory.

fsnotifywatch is similar to inotifywatch but it is using Linux's fanotify(7) interface by default. If explicitly specified, it uses the inotify(7) interface.

Output

inotifywatch and fsnotifywatch will output a table on standard out with one column for each type of event and one row for each watched file or directory.  The table will show the amount of times each event occurred for each watched file or directory.  Output can be sorted by a particular event using the -a or -d options.

Some diagnostic information will be output on standard error.

Options

-h, --help

Output some helpful usage information.

-v, --verbose

Output some extra information on standard error during execution.

@<file>

When watching a directory tree recursively, exclude the specified file from being watched.  The file must be specified with a relative or absolute path according to whether a relative or absolute path is given for watched directories.  If a specific path is explicitly both included and excluded, it will always be watched.

Note: If you need to watch a directory or file whose name starts with @, give the absolute path.

--fromfile <file>

Read filenames to watch or exclude from a file, one filename per line.  If filenames begin with @ they are excluded as described above.  If <file> is `-', filenames are read from standard input.  Use this option if you need to watch too many files to pass in as command line arguments.

-z, --zero

Output table rows and columns even if all elements are zero.  By default, rows and columns are only output if they contain non-zero elements.  Using this option when watching for every event on a lot of files can result in a lot of output!

--exclude <pattern>

Do not process any events for the subset of files whose filenames match the specified POSIX regular expression, case sensitive.

--excludei <pattern>

Do not process any events for the subset of files whose filenames match the specified POSIX regular expression, case insensitive.

--include <pattern>

Process events only for the subset of files whose filenames match the specified POSIX regular expression, case sensitive.

--includei <pattern>

Process events only for the subset of files whose filenames match the specified POSIX regular expression, case insensitive.

-r, --recursive

Watch all subdirectories of any directories passed as arguments.  Watches will be set up recursively to an unlimited depth.  Symbolic links are not traversed.  If new directories are created within watched directories they will automatically be watched.

Warning: If you use this option while watching the root directory of a large tree, it may take quite a while until all inotify watches are established, and events will not be received in this time.  Also, since one inotify watch will be established per subdirectory, it is possible that the maximum amount of inotify watches per user will be reached.  The default maximum is 8192; it can be increased by writing to /proc/sys/fs/inotify/max_user_watches.

-P, --no-dereference

Do not follow symlinks.

-t <seconds>, --timeout <seconds>

Listen only for the specified amount of seconds.  If not specified, inotifywatch will gather statistics until receiving an interrupt signal by (for example) pressing CONTROL-C at the console.

-e <event>, --event <event>

Listen for specific event(s) only.  The events which can be listened for are listed in the Events section.  This option can be specified more than once.  If omitted, all events are listened for.

-a <event>, --ascending <event>

Sort output ascending by event counts for the specified event.  Sortable events include `total' and all the events listed in the Events section except `move' and `close' (you must use `moved_to', `moved_from', `close_write' or `close_nowrite' instead).  The default is to sort descending by `total'.

-d <event>, --descending <event>

Sort output descending by event counts for the specified event.  Sortable events include `total' and all the events listed in the Events section except `move' and `close' (you must use `moved_to', `moved_from', `close_write' or `close_nowrite' instead).  The default is to sort descending by `total'.

Exit Status

0

The program executed successfully.

1

An error occurred in execution of the program.

Events

The following events are valid for use with the -e option:

access

A watched file or a file within a watched directory was read from.

modify

A watched file or a file within a watched directory was written to.

attrib

The metadata of a watched file or a file within a watched directory was modified.  This includes timestamps, file permissions, extended attributes etc.

close_write

A watched file or a file within a watched directory was closed, after being opened in writable mode.  This does not necessarily imply the file was written to.

close_nowrite

A watched file or a file within a watched directory was closed, after being opened in read-only mode.

close

A watched file or a file within a watched directory was closed, regardless of how it was opened.  Note that this is actually implemented simply by listening for both close_write and close_nowrite, hence all close events received will be output as one of these, not CLOSE.

open

A watched file or a file within a watched directory was opened.

moved_to

A file or directory was moved into a watched directory.  This event occurs even if the file is simply moved from and to the same directory.

moved_from

A file or directory was moved from a watched directory.  This event occurs even if the file is simply moved from and to the same directory.

move

A file or directory was moved from or to a watched directory.  Note that this is actually implemented simply by listening for both moved_to and moved_from, hence all close events received will be output as one or both of these, not MOVE.

move_self

A watched file or directory was moved. After this event, the file or directory  is no longer being watched.

create

A file or directory was created within a watched directory.

delete

A file or directory within a watched directory was deleted.

delete_self

A watched file or directory was deleted.  After this event the file or directory is no longer being watched.  Note that this event can occur even if it is not explicitly being listened for.

unmount

The filesystem on which a watched file or directory resides was unmounted. After this event the file or directory is no longer being watched.  Note that this event can occur even if it is not explicitly being listened to.

fsnotifywatch

The following additional options are available:

-I,  --inotify

Watch using inotify.

-F,  --fanotify

Watch using fanotify (default). fanotify support for reporting events with inotify compatible information was added in kernel v5.9.  With older kernels the command will fail. As of kernel v5.12, fanotify requires admin privileges.

-S,  --filesystem

Watch entire filesystem of any directories passed as arguments using fanotify.

Example

Watching the `~/.beagle' directory for 60 seconds:

% inotifywatch -v -e access -e modify -t 60 -r ~/.beagle
Establishing watches...
Setting up watch(es) on /home/rohan/.beagle
OK, /home/rohan/.beagle is now being watched.
Total of 302 watches.
Finished establishing watches, now collecting statistics.
Will listen for events for 60 seconds.
total  access  modify  filename
1436   1074    362     /home/rohan/.beagle/Indexes/FileSystemIndex/PrimaryIndex/
1323   1053    270     /home/rohan/.beagle/Indexes/FileSystemIndex/SecondaryIndex/
303    116     187     /home/rohan/.beagle/Indexes/KMailIndex/PrimaryIndex/
261    74      187     /home/rohan/.beagle/TextCache/
206    0       206     /home/rohan/.beagle/Log/
42     0       42      /home/rohan/.beagle/Indexes/FileSystemIndex/Locks/
18     6       12      /home/rohan/.beagle/Indexes/FileSystemIndex/
12     0       12      /home/rohan/.beagle/Indexes/KMailIndex/Locks/
3      0       3       /home/rohan/.beagle/TextCache/54/
3      0       3       /home/rohan/.beagle/TextCache/bc/
3      0       3       /home/rohan/.beagle/TextCache/20/
3      0       3       /home/rohan/.beagle/TextCache/62/
2      2       0       /home/rohan/.beagle/Indexes/KMailIndex/SecondaryIndex/

Caveats

When using inotifywatch, the filename that is outputted is not guaranteed to be up to date after a move because it is the inode that is being monitored. Additionally, none of the observed operations are guaranteed to have been performed on the filename inotifywatch was instructed to monitor in cases when the file is known by several names in the filesystem.

Bugs

There are race conditions in the recursive directory watching code which can cause events to be missed if they occur in a directory immediately after that directory is created.  This is probably not fixable.

It is assumed the inotify event queue will never overflow.

Authors

inotifywatch was started by Rohan McGovern, and is currently maintained by Eric Curtin and Radu Voicilas. https://www.openhub.net/p/inotify-tools/contributors/summary gives you a more complete list of contributors.

inotifywatch is part of inotify-tools.  The inotify-tools website is located at: https://github.com/inotify-tools/inotify-tools/wiki

See Also

inotifywait(1), inotify(7)

Referenced By

inotify(7), inotifywait(1).

The man page fsnotifywatch(1) is an alias of inotifywatch(1).

2023-09-12 inotifywatch 4.23.9.0