File System Monitoring Service With inotifywait on Centos 7 64 bit

If you wish to monitor your server files, log changes or receive notifications triggered by delete, upload, modify events, the best way to go about is using inotify-tools.

First, you need to install inotify-tools on the server and for this you need to enable the EPEL repository. You will need to know if your Centos is 32 or 64 bit, you can check that by typing “arch” while logged in as root:

root@cloud5 [~]# arch
x86_64

root@cloud5 [~]# cat /etc/centos-release
CentOS Linux release 7.1.1503 (Core)

In the above case I have a 64 bit CentOS Linux release 7.1.1503 (Core)

We need to download the rpm:

root@cloud5 [~]# wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

and import it:

rpm -ivh epel-release-7-5.noarch.rpm

Once this is done, we can install inotify-tools with yum:

root@cloud5 [~]# yum install inotify-tools

In our case, we will want to run inotifywait as a service and create an init script. First we will create our configuration file:

root@cloud5 [~]# cat /etc/inotifywait.conf
# specify log file

LOGFILE=/var/log/inotify.log
# specify target directory for monitoring

MONITOR=/home
# specify target events for monitoring ( comma separated )

# refer ro “man inotifywait” for kinds of events

EVENT=create,delete,modify,move

Next, we will create the init script:

root@cloud5 [~]# cat /etc/rc.d/init.d/inotifywait
#!/bin/bash

# inotifywait: Start/Stop inotifywait
#
# chkconfig: – 80 20
# description: inotifywait waits for changes to files using inotify.
#
# processname: inotifywait

. /etc/rc.d/init.d/functions
. /etc/sysconfig/network
. /etc/inotifywait.conf

LOCK=/var/lock/subsys/inotifywait

RETVAL=0
start() {
echo -n $”Starting inotifywait: “
/usr/bin/inotifywait \
–format ‘%w%f %e %T’ \
–timefmt ‘%Y/%m/%d-%H:%M:%S’ \
–exclude ‘.*\.sw[pox].*’ \
-e $EVENT \
-o $LOGFILE \
-dmrq $MONITOR

RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $LOCK
return $RETVAL
}
stop() {
echo -n $”Stopping inotifywait: “
killproc inotifywait
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $LOCK
return $RETVAL
}
case “$1” in
start)
start
;;
stop)
stop
;;
status)
status inotifywait
;;
restart)
stop
start
;;
*)
echo $”Usage: $0 {start|stop|status|restart}”
exit 1
esac
exit $?

The permissions need to be 755:

chmod 755 /etc/rc.d/init.d/inotifywait

We can start the service now:

/etc/rc.d/init.d/inotifywait start

The result will be like this:

root@cloud5 [~]# /etc/rc.d/init.d/inotifywait start
Starting inotifywait (via systemctl): [ OK ]

We need to ensure that the service starts when the server boots, so we need to add it to chkconfig

chkconfig –add inotifywait

chkconfig inotifywait on

Now if you check the log file specified /var/log/inotify.log it will record all changes that occur in /home and will record them with the server time stamp.

Very often if your server has a lot of inodes in the directory or partition that you specified for monitoring, you may get an error. It will be either:

Please increase the amount of inotify watches allowed per user via `/proc/sys/fs/inotify/max_user_watches’.

or the service itself will not start properly when you check it with:

root@cloud5 [~]# /etc/rc.d/init.d/inotifywait status

The solution is to edit:

/etc/sysctl.conf

and add the following line:

fs.inotify.max_user_watches = 1000000

You can specify the value that you want of course. You will need to reload the sysctl configuration:

sysctl -p /etc/sysctl.conf

The above will do it for sure.

Enjoy!

An article by -


Always willing to learn new concepts and skills not only in the area of Internet and computers. Working as a Linux System Administrator.


0 comments… add one

Leave a Comment