ファイルの利用状態をモニタリングできる『pyinotify』

ボケっとネットサーフィンしてたところ、Python製のツールでfswatchのようにファイルの変更を検知・記録できる『pyinotify』というツールを見かけたので、CentOS 7上で試してみることにする。 インストールは簡単で、pipから導入が可能なようだ。

yum install -y epel-release
yum install -y python-pip
pip install --upgrade pip
pip install pyinotify

インストールできたら、以下のようにコマンドを実行することで対象のディレクトリ配下でのイベントをモニタリングする事ができる。

python -m pyinotify -ar -v モニタリング対象Path

[root@BS-PUB-CENT7-01 ~]# python -m pyinotify -ar -v /opt
[2017-04-09 00:00:59,643 pyinotify DEBUG] Start monitoring ['/opt'], (press c^c to halt pyinotify)
[2017-04-09 00:00:59,644 pyinotify DEBUG] New <Watch wd=1 path=/opt mask=4095 proc_fun=None auto_add=True exclude_filter=<function <lambda> at 0x1c507d0> dir=True >
[2017-04-09 00:01:06,522 pyinotify DEBUG] Event queue size: 96
[2017-04-09 00:01:06,523 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000100 name=test1 wd=1 >
[2017-04-09 00:01:06,523 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000100 name=test2 wd=1 >
[2017-04-09 00:01:06,523 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000100 name=test3 wd=1 >
[2017-04-09 00:01:06,524 pyinotify DEBUG] New <Watch wd=2 path=/opt/test1 mask=4095 proc_fun=None auto_add=True exclude_filter=<function <lambda> at 0x1c507d0> dir=True >
<Event dir=True mask=0x40000100 maskname=IN_CREATE|IN_ISDIR name=test1 path=/opt pathname=/opt/test1 wd=1 >
[2017-04-09 00:01:06,525 pyinotify DEBUG] New <Watch wd=3 path=/opt/test2 mask=4095 proc_fun=None auto_add=True exclude_filter=<function <lambda> at 0x1c507d0> dir=True >
<Event dir=True mask=0x40000100 maskname=IN_CREATE|IN_ISDIR name=test2 path=/opt pathname=/opt/test2 wd=1 >
[2017-04-09 00:01:06,525 pyinotify DEBUG] New <Watch wd=4 path=/opt/test3 mask=4095 proc_fun=None auto_add=True exclude_filter=<function <lambda> at 0x1c507d0> dir=True >
<Event dir=True mask=0x40000100 maskname=IN_CREATE|IN_ISDIR name=test3 path=/opt pathname=/opt/test3 wd=1 >
[2017-04-09 00:01:06,525 pyinotify DEBUG] Event queue size: 288
[2017-04-09 00:01:06,525 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000020 name=test1 wd=1 >
[2017-04-09 00:01:06,526 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000020 name='' wd=2 >
[2017-04-09 00:01:06,526 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000010 name=test1 wd=1 >
[2017-04-09 00:01:06,526 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000010 name='' wd=2 >
[2017-04-09 00:01:06,526 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000020 name=test2 wd=1 >
[2017-04-09 00:01:06,526 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000020 name='' wd=3 >
[2017-04-09 00:01:06,526 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000010 name=test2 wd=1 >
[2017-04-09 00:01:06,527 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000010 name='' wd=3 >
[2017-04-09 00:01:06,527 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000020 name=test3 wd=1 >
[2017-04-09 00:01:06,527 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000020 name='' wd=4 >
[2017-04-09 00:01:06,527 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000010 name=test3 wd=1 >
[2017-04-09 00:01:06,527 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x40000010 name='' wd=4 >
<Event dir=True mask=0x40000020 maskname=IN_OPEN|IN_ISDIR name=test1 path=/opt pathname=/opt/test1 wd=1 >
<Event dir=True mask=0x40000020 maskname=IN_OPEN|IN_ISDIR name='' path=/opt/test1 pathname=/opt/test1 wd=2 >
<Event dir=True mask=0x40000010 maskname=IN_CLOSE_NOWRITE|IN_ISDIR name=test1 path=/opt pathname=/opt/test1 wd=1 >
<Event dir=True mask=0x40000010 maskname=IN_CLOSE_NOWRITE|IN_ISDIR name='' path=/opt/test1 pathname=/opt/test1 wd=2 >
<Event dir=True mask=0x40000020 maskname=IN_OPEN|IN_ISDIR name=test2 path=/opt pathname=/opt/test2 wd=1 >
<Event dir=True mask=0x40000020 maskname=IN_OPEN|IN_ISDIR name='' path=/opt/test2 pathname=/opt/test2 wd=3 >
<Event dir=True mask=0x40000010 maskname=IN_CLOSE_NOWRITE|IN_ISDIR name=test2 path=/opt pathname=/opt/test2 wd=1 >
<Event dir=True mask=0x40000010 maskname=IN_CLOSE_NOWRITE|IN_ISDIR name='' path=/opt/test2 pathname=/opt/test2 wd=3 >
<Event dir=True mask=0x40000020 maskname=IN_OPEN|IN_ISDIR name=test3 path=/opt pathname=/opt/test3 wd=1 >
<Event dir=True mask=0x40000020 maskname=IN_OPEN|IN_ISDIR name='' path=/opt/test3 pathname=/opt/test3 wd=4 >
<Event dir=True mask=0x40000010 maskname=IN_CLOSE_NOWRITE|IN_ISDIR name=test3 path=/opt pathname=/opt/test3 wd=1 >
<Event dir=True mask=0x40000010 maskname=IN_CLOSE_NOWRITE|IN_ISDIR name='' path=/opt/test3 pathname=/opt/test3 wd=4 >
[2017-04-09 00:01:15,742 pyinotify DEBUG] Event queue size: 128
[2017-04-09 00:01:15,743 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x100 name=test.txt wd=2 >
[2017-04-09 00:01:15,743 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x20 name=test.txt wd=2 >
[2017-04-09 00:01:15,743 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x2 name=test.txt wd=2 >
[2017-04-09 00:01:15,743 pyinotify DEBUG] <_RawEvent cookie=0 mask=0x8 name=test.txt wd=2 >
<Event dir=False mask=0x100 maskname=IN_CREATE name=test.txt path=/opt/test1 pathname=/opt/test1/test.txt wd=2 >
<Event dir=False mask=0x20 maskname=IN_OPEN name=test.txt path=/opt/test1 pathname=/opt/test1/test.txt wd=2 >
<Event dir=False mask=0x2 maskname=IN_MODIFY name=test.txt path=/opt/test1 pathname=/opt/test1/test.txt wd=2 >
<Event dir=False mask=0x8 maskname=IN_CLOSE_WRITE name=test.txt path=/opt/test1 pathname=/opt/test1/test.txt wd=2 >

ファイルの操作内容を取得する方法というと、auditdやらinotifyを利用したツール(pyinotifyもそのうちの一つだけど)など色々とあるけど、これも結構使えそうだ。