Monitoring Disk-Level Changes in Real-Time Using inotifywait
- Siddhesh Kadam
- Jan 14, 2025
- 2 min read
Monitoring file system activity in real-time is crucial for system administrators, developers, and DevOps engineers. Whether you’re troubleshooting an issue, auditing system behavior, or simply tracking changes to a specific directory, inotifywait is a powerful and lightweight tool to achieve this.
In this blog, I’ll guide you through setting up and using inotifywait on a RHEL/Rocky Linux-based system. We’ll also explore practical examples to monitor disk-level changes in real-time.
Step 1: Installing inotify-tools
To use inotifywait, you need to install the inotify-tools package. Follow these steps:
Command:
[root@siddhesh ~]# dnf install -y inotify-tools
Expected Output:
# Last metadata expiration check: 0:05:12 ago on Mon Jan 11 10:00:00 2025.
# Dependencies resolved.
===================================================================
Package Arch Version Repository
===================================================================
Installing:
inotify-tools x86_64 3.20.1.1-1.el8 epel
Transaction Summary
===================================================================
Install 1 Package
Total download size: 68 k
Installed size: 192 k
...
Complete!
Step 2: Understanding inotifywait
inotifywait is part of the inotify-tools package. It uses the Linux kernel's inotify API to monitor file system events such as file creation, modification, deletion, and access.
Commonly Monitored Events:
create: Detects when a file or directory is created.
modify: Detects changes to file contents.
delete: Detects when a file or directory is deleted.
access: Detects when a file is read.
move: Detects when a file or directory is moved.
Step 3: Monitoring a Directory in Real-Time
Let’s create a script to monitor a directory for file-level changes.
Script Example:
#!/bin/bash
MONITORED_DIR="/home/builddevops/"
LOG_FILE="/var/log/builddevops_changes.log"
if [ ! -d "$MONITORED_DIR" ]; then
echo "Directory $MONITORED_DIR does not exist. Exiting."
exit 1
fi
echo "Monitoring $MONITORED_DIR for changes..."
inotifywait -m -r \
-e create -e modify -e delete -e move \
"$MONITORED_DIR" | while read -r event; do
echo "$(date '+%Y-%m-%d %H:%M:%S') - $event" >> "$LOG_FILE"
doneHow It Works:
inotifywait -m -r: The -m flag makes inotifywait run continuously, and the -r flag enables recursive monitoring of subdirectories.
-e create -e modify ...: Specifies the events to monitor.
Logging Events: Each event is appended to a log file with a timestamp.
Run the Script:
Save the script as monitor_iotest.sh, make it executable, and run it:
[root@siddhesh ~]# chmod +x monitor_iotest.sh
[root@siddhesh ~]# ./monitor_iotest.sh
Step 4: Testing Real-Time Monitoring
Scenario 1: Creating a File
[root@siddhesh ~]# touch /home/builddevops/test.txt
Log Output:
2025-01-11 10:30:12 - /home/builddevops/ CREATE test.txt
Scenario 2: Modifying a File
[root@siddhesh ~]# echo "Hello, Builddevops!" >> /home/builddevops/test.txtLog Output:
2025-01-14 10:31:05 - /home/builddevops/ MODIFY test.txt
Scenario 3: Deleting a File
[root@siddhesh ~]# rm /home/builddevops/test.txt
Log Output:
2025-01-14 10:32:18 - /home/builddevops/ DELETE test.txt
Step 5: Additional Options
Monitor Access Events:
[root@siddhesh ~]# inotifywait -m -e access /home/builddevops/
Use Case: Track when files are being read.
Limit Monitoring to Specific File Types:
[root@siddhesh ~]# inotifywait -m -e create --format "%f" /home/builddevops/ | grep ".log$"
Use Case: Monitor only .log files being created.
Conclusion
inotifywait is an invaluable tool for monitoring file system activity in real-time. With its lightweight nature and easy-to-use syntax, it’s perfect for scenarios like debugging, auditing, and securing your system. By leveraging inotifywait effectively, you can stay on top of changes and ensure your environment runs smoothly.
