inotifywait: Advanced File System Monitoring Tool

Overview

inotifywait is a powerful command-line utility that provides real-time monitoring of file system events on Linux systems. It is part of the inotify-tools package and leverages the Linux kernel's inotify subsystem to efficiently watch for changes in files and directories. This tool is essential for system administrators, developers, and automation scripts that need to respond to file system modifications in real-time.

The inotifywait command blocks until one or more events occur on specified files or directories, making it ideal for scripting scenarios where you need to trigger actions based on file system changes. Unlike polling-based solutions, inotifywait uses kernel-level notifications, providing efficient and immediate detection of file system events.

Installation

Ubuntu/Debian Systems

CentOS/RHEL/Fedora Systems

For CentOS/RHEL 7 and earlier

For CentOS/RHEL 8+ and Fedora

Arch Linux

Basic Syntax

`bash inotifywait [options] file1 [file2] [file3] [...] `

The basic operation involves specifying one or more files or directories to monitor, along with optional parameters to control the monitoring behavior and output format.

Command Options and Parameters

Core Options

| Option | Long Form | Description | |--------|-----------|-------------| | -m | --monitor | Keep listening for events forever | | -r | --recursive | Watch directories recursively | | -q | --quiet | Print less information | | -e | --event | Listen for specific events only | | -t | --timeout | Set timeout in seconds | | --format | --format | Print using a specified printf-like format string | | --timefmt | --timefmt | Strftime-compatible format string for use with %T | | --exclude | --exclude | Exclude files matching the given extended regular expression | | --excludei | --excludei | Like --exclude but case insensitive |

Output Control Options

| Option | Description | |--------|-------------| | -c | --csv | Print events in CSV format | | --daemon | Run as daemon | | -s | --syslog | Send errors to syslog rather than stderr | | -o | --outfile | Print events to file rather than stdout |

Event Selection Options

The -e or --event option allows you to specify which types of events to monitor. Multiple events can be specified by separating them with commas.

Event Types

inotifywait can monitor various types of file system events. Understanding these events is crucial for effective monitoring.

Primary Events

| Event | Description | When Triggered | |-------|-------------|----------------| | access | File was accessed (read) | When file content is read | | modify | File was modified | When file content is changed | | attrib | Metadata changed | When permissions, ownership, or timestamps change | | close_write | File opened for writing was closed | After writing to a file is complete | | close_nowrite | File not opened for writing was closed | After reading a file is complete | | close | File was closed (regardless of read/write mode) | Combination of close_write and close_nowrite | | open | File was opened | When file is opened for any operation | | moved_to | File moved to watched directory | When file is moved into monitored location | | moved_from | File moved from watched directory | When file is moved out of monitored location | | move | File was moved | Combination of moved_to and moved_from | | create | File or directory created | When new file/directory is created | | delete | File or directory deleted | When file/directory is removed | | delete_self | Watched file/directory was itself deleted | When the monitored item is deleted | | unmount | File system containing file/directory was unmounted | When filesystem is unmounted |

Special Event Groups

| Event Group | Description | Includes | |-------------|-------------|----------| | move_self | Watched file/directory was itself moved | Movement of the watched item | | all_events | All events | All available events |

Format Strings

The --format option allows customization of output format using printf-like format specifiers.

Format Specifiers

| Specifier | Description | Example Output | |-----------|-------------|----------------| | %w | Watched filename or directory | /home/user/documents/ | | %f | Event-related filename | file.txt | | %e | Event name | MODIFY | | %T | Current time (use with --timefmt) | 2023-12-01 15:30:45 |

Time Format Specifiers (for use with %T)

| Specifier | Description | Example | |-----------|-------------|---------| | %Y | Year with century | 2023 | | %m | Month as decimal number | 12 | | %d | Day of month | 01 | | %H | Hour (24-hour format) | 15 | | %M | Minute | 30 | | %S | Second | 45 |

Practical Examples

Basic File Monitoring

Monitor a single file for any changes: `bash inotifywait /home/user/important.txt `

This command will block and wait until any event occurs on the specified file, then exit after printing the event information.

Continuous Directory Monitoring

Monitor a directory continuously for all events: `bash inotifywait -m /home/user/documents/ `

The -m flag keeps the command running indefinitely, reporting each event as it occurs.

Recursive Directory Monitoring

Monitor a directory and all its subdirectories: `bash inotifywait -m -r /var/log/ `

This is particularly useful for monitoring complex directory structures where changes might occur at any level.

Monitoring Specific Events

Monitor only file modifications and creations: `bash inotifywait -m -e modify,create /home/user/projects/ `

This focuses monitoring on specific events, reducing noise from other file system activities.

Custom Output Format

Use custom formatting for cleaner output: `bash inotifywait -m -r --format '%T %w%f %e' --timefmt '%Y-%m-%d %H:%M:%S' /home/user/documents/ `

This produces output like: ` 2023-12-01 15:30:45 /home/user/documents/file.txt MODIFY 2023-12-01 15:31:02 /home/user/documents/newfile.txt CREATE `

Monitoring with Timeout

Monitor for events with a 60-second timeout: `bash inotifywait -t 60 -e modify /home/user/config.conf `

If no events occur within 60 seconds, the command exits with a timeout status.

Excluding Files

Monitor directory while excluding temporary files: `bash inotifywait -m -r --exclude '.*\.tmp

inotifywait: Advanced Linux File System Monitoring Guide

This excludes all files ending with .tmp from monitoring.

CSV Output Format

Generate CSV-formatted output for easier parsing: `bash inotifywait -m -r -c /var/www/html/ `

Output format: path,filename,event_names,cookie

Advanced Usage Scenarios

Log File Monitoring Script

Create a script to monitor log files and trigger alerts:

`bash #!/bin/bash

log_monitor.sh

LOG_DIR="/var/log/apache2" ALERT_EMAIL="admin@example.com"

inotifywait -m -r -e modify "$LOG_DIR" | while read path action file; do if [[ "$file" == *"error.log" ]]; then echo "Error log modified: $path$file at $(date)" | \ mail -s "Error Log Alert" "$ALERT_EMAIL" fi done `

Automatic Backup Trigger

Automatically backup files when they are modified:

`bash #!/bin/bash

auto_backup.sh

WATCH_DIR="/home/user/important_docs" BACKUP_DIR="/backup/important_docs"

inotifywait -m -r -e close_write "$WATCH_DIR" | while read path action file; do if [[ -f "$path$file" ]]; then cp "$path$file" "$BACKUP_DIR/" echo "Backed up: $file at $(date)" fi done `

Development File Watcher

Monitor source code changes and trigger builds:

`bash #!/bin/bash

build_watcher.sh

PROJECT_DIR="/home/developer/myproject" BUILD_CMD="make"

inotifywait -m -r -e modify --exclude '.*\.(o|tmp|log)

inotifywait: Advanced Linux File System Monitoring Guide

Configuration File Monitoring

Monitor configuration files and restart services:

`bash #!/bin/bash

config_monitor.sh

CONFIG_FILE="/etc/nginx/nginx.conf" SERVICE_NAME="nginx"

inotifywait -m -e modify "$CONFIG_FILE" | while read path action file; do echo "Configuration file modified: $file" echo "Validating configuration..." if nginx -t; then echo "Configuration valid, restarting service..." systemctl restart "$SERVICE_NAME" echo "Service restarted successfully" else echo "Configuration invalid, service not restarted" # Send alert or log error fi done `

Integration with Other Tools

Using with rsync for Real-time Synchronization

`bash #!/bin/bash

sync_monitor.sh

SOURCE_DIR="/home/user/sync_folder" DEST_DIR="user@remote:/backup/sync_folder"

inotifywait -m -r -e modify,create,delete "$SOURCE_DIR" | while read path action file; do echo "Change detected: $action on $file" rsync -av --delete "$SOURCE_DIR/" "$DEST_DIR/" echo "Synchronization completed at $(date)" done `

Integration with Git for Auto-commit

`bash #!/bin/bash

git_autocommit.sh

REPO_DIR="/home/user/my_repo" cd "$REPO_DIR"

inotifywait -m -r -e modify,create,delete --exclude '.\.git.' "$REPO_DIR" | while read path action file; do echo "File changed: $file" git add . git commit -m "Auto-commit: $action on $file at $(date)" done `

Performance Considerations

Kernel Limits

The inotify system has kernel-imposed limits that may need adjustment for large-scale monitoring:

`bash

Check current limits

Increase limits (temporary)

For permanent changes, add to /etc/sysctl.conf: ` fs.inotify.max_user_watches = 524288 fs.inotify.max_user_instances = 512 `

Resource Usage Optimization

| Consideration | Recommendation | |---------------|----------------| | Event filtering | Use specific events instead of monitoring all | | Path exclusion | Exclude unnecessary files/directories | | Recursive depth | Limit recursion depth when possible | | Output buffering | Use appropriate output redirection |

Troubleshooting

Common Issues and Solutions

| Issue | Cause | Solution | |-------|-------|----------| | "No space left on device" | inotify watch limit exceeded | Increase max_user_watches limit | | Events not detected | File on non-local filesystem | inotify only works on local filesystems | | High CPU usage | Too many events being processed | Filter events more specifically | | Permission denied | Insufficient permissions | Run with appropriate privileges |

Debugging Commands

Check inotify usage: `bash

List current inotify watches

Monitor inotify limits: `bash

Watch current usage

Best Practices

Script Design

1. Error Handling: Always include proper error handling in monitoring scripts 2. Signal Handling: Implement clean shutdown procedures 3. Logging: Maintain logs of monitoring activities 4. Resource Cleanup: Ensure proper cleanup of resources

Security Considerations

1. Privilege Separation: Run monitoring processes with minimal required privileges 2. Input Validation: Validate file paths and event data 3. Access Control: Restrict access to monitoring scripts and logs 4. Audit Trail: Maintain audit logs of monitoring activities

Example Production Script Template

`bash #!/bin/bash

production_monitor.sh

set -euo pipefail

Configuration

Functions

cleanup() { log_message "Shutting down file monitor" rm -f "$PID_FILE" exit 0 }

Signal handling

Store PID

log_message "Starting file monitor on $WATCH_DIR"

Main monitoring loop

This comprehensive guide covers the essential aspects of using inotifywait for file system monitoring, from basic usage to advanced integration scenarios. The tool's flexibility and efficiency make it an invaluable component in system administration, development workflows, and automated monitoring solutions.