Linux文件实时监控工具inotify-tools的安装和使用
inotify是Linux内核2.6.13 (June 18, 2005)版本新增的一个子系统(API),它提供了一种监控文件系统(基于inode的)事件的机制,可以监控文件系统的变化如文件修改、新增、删除等,并可以将相应的事件通知给应用程序。
inotify 支持检测
只有在内核 2.6.13 (June 18, 2005) 以上的 Linux 版本中才支持 inotify-tools。
可以用以下3种方法中的任何一种看你的系统是否支持inotify-tools
[root@WIND ~]# uname -a
Linux WIND 4.18.0-193.28.1.el8_2.x86_64 #1 SMP Thu Oct 22 00:20:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@WIND ~]#
[root@WIND ~]# cat /proc/version
Linux version 4.18.0-193.28.1.el8_2.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)) #1 SMP Thu Oct 22 00:20:22 UTC 2020
[root@WIND ~]#
[root@WIND ~]# ls /proc/sys/fs/inotify/
max_queued_events max_user_instances max_user_watches
通过/proc接口中的如下参数设定inotify能够使用的内存大小:
1、/proc/sys/fs/inotify/max_queue_events
应用程序调用inotify时需要初始化inotify实例,并时会为其设定一个事件队列,此文件中的值则是用于设定此队列长度的上限;超出此上限的事件将会被丢弃;
2、/proc/sys/fs/inotify/max_user_instances
此文件中的数值用于设定每个用户ID(以ID标识的用户)可以创建的inotify实例数目的上限;
3、/proc/sys/fs/inotify/max_user_watches
此文件中的数值用于设定每个用户ID可以监控的文件或目录数目上限;
顺便查一下我们的系统这几个默认参数的值
[root@WIND ~]# cat /proc/sys/fs/inotify/max_user_watches
8192
[root@WIND ~]# cat /proc/sys/fs/inotify/max_user_instances
128
[root@WIND ~]# cat /proc/sys/fs/inotify/max_queued_events
16384
[root@WIND ~]#
这些参数的值,我们可以进行优化,比如,调大max_user_watches的值
echo 1048204800 > /proc/sys/fs/inotify/max_user_watches
inotify-tools是一套组件,它包括一个C库和几个命令行工具,这些命令行工具可用于通过命令行或脚本对某文件系统的事件进行监控。
inotify-tools提供的两个命令行工具:
1) inotifywait:通过inotify API等待被监控文件上的相应事件并返回监控结果,默认情况下,正常的结果返回至标准输出,诊断类的信息则返回至标准错误输出。它可以在监控到对应监控对象上指定的事件后退出,也可以进行持续性的监控。
2)inotifywatch:通过inotify API收集被监控文件或目录的相关事件并输出统计信息。
安装
直接yum -y intall安装
[root@WIND ~]# yum -y install inotify-tools
Last metadata expiration check: 2:19:59 ago on Tue 29 Mar 2022 02:41:41 PM CST.
Dependencies resolved.
===============================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================
Installing:
inotify-tools x86_64 3.14-19.el8 epel 57 k
Transaction Summary
===============================================================================================================================
Install 1 Package
Total download size: 57 k
Installed size: 120 k
Downloading Packages:
inotify-tools-3.14-19.el8.x86_64.rpm 8.8 MB/s | 57 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------
Total 5.6 MB/s | 57 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : inotify-tools-3.14-19.el8.x86_64 1/1
Running scriptlet: inotify-tools-3.14-19.el8.x86_64 1/1
Verifying : inotify-tools-3.14-19.el8.x86_64 1/1
Installed:
inotify-tools-3.14-19.el8.x86_64
Complete!
查看是否装好了
[root@WIND ~]# which inotifywait
/usr/bin/inotifywait
[root@WIND ~]# which inotifywatch
/usr/bin/inotifywatch
可以看到命令已经有了
inotitywait
inotifywait尤其适用于在脚本中等待某事件的发生,并可基于特定的事件执行相应操作。如将其用于脚本中监控某指定目录中的文件上的修改、新建、删除、属性信息的改变,而后使用rsync命令将某事件对应的文件同步至其它主机上
[root@WIND ~]# inotifywait -h
inotifywait 3.14
Wait for a particular event on a file or set of files.
Usage: inotifywait [ options ] file1 [ file2 ] [ file3 ] [ ... ]
Options:
-h|--help Show this help text.
@<file> Exclude the specified file from being watched.
--exclude <pattern>
Exclude all events on files matching the
extended regular expression <pattern>.
--excludei <pattern>
Like --exclude but case insensitive.
-m|--monitor 持续地监控某个文件或者目录,没有这个选项,监控到一个事件就退出了
-d|--daemon Same as --monitor, except run in the background
logging events to a file specified by --outfile.
Implies --syslog.
-r|--recursive 递归监控目录,前面已经看过,默认值max_user_watches是8192,可以自己调大这个值
--fromfile <file>
Read files to watch from <file> or `-' for stdin.
-o|--outfile <file>
监控到的结果写入到我们指定的文件
-s|--syslog Send errors to syslog rather than stderr.
-q|--quiet Print less (only print events).
-qq Print nothing (not even events).
--format <fmt> Print using a specified printf-like format
string; read the man page for more details.
--timefmt <fmt> strftime-compatible format string for use with
%T in --format string.
-c|--csv Print events in CSV format.
-t|--timeout <seconds>
When listening for a single event, time out after
waiting for an event for <seconds> seconds.
If <seconds> is 0, inotifywait will never time out.
-e|--event <event1> [ -e|--event <event2> ... ]
指定要监控的特定事件,没有这个参数时,默认是监控所有的事件;此处包括access, modify, attrib, close_write, close_nowirte, close, open, moved_to, moved_from, move, create, delete, delete_selt等;
Exit status:
0 - An event you asked to watch for was received.
1 - An event you did not ask to watch for was received
(usually delete_self or unmount), or some error occurred.
2 - The --timeout option was given and no events occurred
in the specified interval of time.
Events:
access file or directory contents were read
modify file or directory contents were written
attrib file or directory attributes changed
close_write file or directory closed, after being opened in
writeable mode
close_nowrite file or directory closed, after being opened in
read-only mode
close file or directory closed, regardless of read/write mode
open file or directory opened
moved_to file or directory moved to watched directory
moved_from file or directory moved from watched directory
move file or directory moved to or from watched directory
create file or directory created within watched directory
delete file or directory deleted within watched directory
delete_self file or directory was deleted
unmount file system containing file or directory unmounted
inotifywatch
[root@WIND ~]# inotifywatch -h
inotifywatch 3.14
Gather filesystem usage statistics using inotify.
Usage: inotifywatch [ options ] file1 [ file2 ] [ ... ]
Options:
-h|--help Show this help text.
-v|--verbose Be verbose.
@<file> Exclude the specified file from being watched.
--fromfile <file>
Read files to watch from <file> or `-' for stdin.
--exclude <pattern>
Exclude all events on files matching the extended regular
expression <pattern>.
--excludei <pattern>
Like --exclude but case insensitive.
-z|--zero
In the final table of results, output rows and columns even
if they consist only of zeros (the default is to not output
these rows and columns).
-r|--recursive Watch directories recursively.
-t|--timeout <seconds>
Listen only for specified amount of time in seconds; if
omitted or 0, inotifywatch will execute until receiving an
interrupt signal.
-e|--event <event1> [ -e|--event <event2> ... ]
Listen for specific event(s). If omitted, all events are
listened for.
-a|--ascending <event>
Sort ascending by a particular event, or `total'.
-d|--descending <event>
Sort descending by a particular event, or `total'.
Exit status:
0 - Exited normally.
1 - Some error occurred.
Events:
access file or directory contents were read
modify file or directory contents were written
attrib file or directory attributes changed
close_write file or directory closed, after being opened in
writeable mode
close_nowrite file or directory closed, after being opened in
read-only mode
close file or directory closed, regardless of read/write mode
open file or directory opened
moved_to file or directory moved to watched directory
moved_from file or directory moved from watched directory
move file or directory moved to or from watched directory
create file or directory created within watched directory
delete file or directory deleted within watched directory
delete_self file or directory was deleted
unmount file system containing file or directory unmounted