Linux文件实时监控工具inotify-tools的安装和使用

Linux文件实时监控工具inotify-tools的安装和使用

inotify是Linux内核2.6.13 (June 18, 2005)版本新增的一个子系统（API），它提供了一种监控文件系统（基于inode的）事件的机制，可以监控文件系统的变化如文件修改、新增、删除等，并可以将相应的事件通知给应用程序。

inotify 支持检测
只有在内核 2.6.13 (June 18, 2005) 以上的 Linux 版本中才支持 inotify-tools。
可以用以下3种方法中的任何一种看你的系统是否支持inotify-tools

[root@WIND ~]# uname -a
Linux WIND 4.18.0-193.28.1.el8_2.x86_64 #1 SMP Thu Oct 22 00:20:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@WIND ~]#
[root@WIND ~]# cat /proc/version
Linux version 4.18.0-193.28.1.el8_2.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)) #1 SMP Thu Oct 22 00:20:22 UTC 2020
[root@WIND ~]#
[root@WIND ~]# ls /proc/sys/fs/inotify/
max_queued_events  max_user_instances  max_user_watches
1
2
3
4
5
6
7
8

通过/proc接口中的如下参数设定inotify能够使用的内存大小：
1、/proc/sys/fs/inotify/max_queue_events
应用程序调用inotify时需要初始化inotify实例，并时会为其设定一个事件队列，此文件中的值则是用于设定此队列长度的上限；超出此上限的事件将会被丢弃；
2、/proc/sys/fs/inotify/max_user_instances
此文件中的数值用于设定每个用户ID（以ID标识的用户）可以创建的inotify实例数目的上限；
3、/proc/sys/fs/inotify/max_user_watches
此文件中的数值用于设定每个用户ID可以监控的文件或目录数目上限；
顺便查一下我们的系统这几个默认参数的值

[root@WIND ~]# cat  /proc/sys/fs/inotify/max_user_watches
8192
[root@WIND ~]# cat  /proc/sys/fs/inotify/max_user_instances
128
[root@WIND ~]# cat  /proc/sys/fs/inotify/max_queued_events
16384
[root@WIND ~]#
1
2
3
4
5
6
7

这些参数的值，我们可以进行优化，比如，调大max_user_watches的值

echo 1048204800 > /proc/sys/fs/inotify/max_user_watches
1

inotify-tools是一套组件，它包括一个C库和几个命令行工具，这些命令行工具可用于通过命令行或脚本对某文件系统的事件进行监控。
inotify-tools提供的两个命令行工具：
1） inotifywait：通过inotify API等待被监控文件上的相应事件并返回监控结果，默认情况下，正常的结果返回至标准输出，诊断类的信息则返回至标准错误输出。它可以在监控到对应监控对象上指定的事件后退出，也可以进行持续性的监控。
2）inotifywatch：通过inotify API收集被监控文件或目录的相关事件并输出统计信息。

安装
直接yum -y intall安装

[root@WIND ~]# yum -y install inotify-tools
Last metadata expiration check: 2:19:59 ago on Tue 29 Mar 2022 02:41:41 PM CST.
Dependencies resolved.
===============================================================================================================================
 Package                           Architecture               Version                           Repository                Size
===============================================================================================================================
Installing:
 inotify-tools                     x86_64                     3.14-19.el8                       epel                      57 k

Transaction Summary
===============================================================================================================================
Install  1 Package

Total download size: 57 k
Installed size: 120 k
Downloading Packages:
inotify-tools-3.14-19.el8.x86_64.rpm                                                           8.8 MB/s |  57 kB     00:00
-------------------------------------------------------------------------------------------------------------------------------
Total                                                                                          5.6 MB/s |  57 kB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                       1/1
  Installing       : inotify-tools-3.14-19.el8.x86_64                                                                      1/1
  Running scriptlet: inotify-tools-3.14-19.el8.x86_64                                                                      1/1
  Verifying        : inotify-tools-3.14-19.el8.x86_64                                                                      1/1

Installed:
  inotify-tools-3.14-19.el8.x86_64

Complete!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

查看是否装好了

[root@WIND ~]# which inotifywait
/usr/bin/inotifywait
[root@WIND ~]# which inotifywatch
/usr/bin/inotifywatch
1
2
3
4

可以看到命令已经有了

inotitywait
inotifywait尤其适用于在脚本中等待某事件的发生，并可基于特定的事件执行相应操作。如将其用于脚本中监控某指定目录中的文件上的修改、新建、删除、属性信息的改变，而后使用rsync命令将某事件对应的文件同步至其它主机上

[root@WIND ~]# inotifywait -h
inotifywait 3.14
Wait for a particular event on a file or set of files.
Usage: inotifywait [ options ] file1 [ file2 ] [ file3 ] [ ... ]
Options:
	-h|--help     	Show this help text.
	@<file>       	Exclude the specified file from being watched.
	--exclude <pattern>
	              	Exclude all events on files matching the
	              	extended regular expression <pattern>.
	--excludei <pattern>
	              	Like --exclude but case insensitive.
	-m|--monitor  	持续地监控某个文件或者目录，没有这个选项，监控到一个事件就退出了
	-d|--daemon   	Same as --monitor, except run in the background
	              	logging events to a file specified by --outfile.
	              	Implies --syslog.
	-r|--recursive	递归监控目录，前面已经看过，默认值max_user_watches是8192，可以自己调大这个值
	--fromfile <file>
	              	Read files to watch from <file> or `-' for stdin.
	-o|--outfile <file>
	              	监控到的结果写入到我们指定的文件
	-s|--syslog   	Send errors to syslog rather than stderr.
	-q|--quiet    	Print less (only print events).
	-qq           	Print nothing (not even events).
	--format <fmt>	Print using a specified printf-like format
	              	string; read the man page for more details.
	--timefmt <fmt>	strftime-compatible format string for use with
	              	%T in --format string.
	-c|--csv      	Print events in CSV format.
	-t|--timeout <seconds>
	              	When listening for a single event, time out after
	              	waiting for an event for <seconds> seconds.
	              	If <seconds> is 0, inotifywait will never time out.
	-e|--event <event1> [ -e|--event <event2> ... ]
		指定要监控的特定事件，没有这个参数时，默认是监控所有的事件；此处包括access, modify, attrib, close_write, close_nowirte, close, open, moved_to, moved_from, move, create, delete, delete_selt等；

Exit status:
	0  -  An event you asked to watch for was received.
	1  -  An event you did not ask to watch for was received
	      (usually delete_self or unmount), or some error occurred.
	2  -  The --timeout option was given and no events occurred
	      in the specified interval of time.

Events:
	access		file or directory contents were read
	modify		file or directory contents were written
	attrib		file or directory attributes changed
	close_write	file or directory closed, after being opened in
	           	writeable mode
	close_nowrite	file or directory closed, after being opened in
	           	read-only mode
	close		file or directory closed, regardless of read/write mode
	open		file or directory opened
	moved_to	file or directory moved to watched directory
	moved_from	file or directory moved from watched directory
	move		file or directory moved to or from watched directory
	create		file or directory created within watched directory
	delete		file or directory deleted within watched directory
	delete_self	file or directory was deleted
	unmount		file system containing file or directory unmounted
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

inotifywatch

[root@WIND ~]# inotifywatch -h
inotifywatch 3.14
Gather filesystem usage statistics using inotify.
Usage: inotifywatch [ options ] file1 [ file2 ] [ ... ]
Options:
	-h|--help    	Show this help text.
	-v|--verbose 	Be verbose.
	@<file>       	Exclude the specified file from being watched.
	--fromfile <file>
		Read files to watch from <file> or `-' for stdin.
	--exclude <pattern>
		Exclude all events on files matching the extended regular
		expression <pattern>.
	--excludei <pattern>
		Like --exclude but case insensitive.
	-z|--zero
		In the final table of results, output rows and columns even
		if they consist only of zeros (the default is to not output
		these rows and columns).
	-r|--recursive	Watch directories recursively.
	-t|--timeout <seconds>
		Listen only for specified amount of time in seconds; if
		omitted or 0, inotifywatch will execute until receiving an
		interrupt signal.
	-e|--event <event1> [ -e|--event <event2> ... ]
		Listen for specific event(s).  If omitted, all events are
		listened for.
	-a|--ascending <event>
		Sort ascending by a particular event, or `total'.
	-d|--descending 
		Sort descending by a particular event, or `total'.

Exit status:
	0  -  Exited normally.
	1  -  Some error occurred.

Events:
	access		file or directory contents were read
	modify		file or directory contents were written
	attrib		file or directory attributes changed
	close_write	file or directory closed, after being opened in
	           	writeable mode
	close_nowrite	file or directory closed, after being opened in
	           	read-only mode
	close		file or directory closed, regardless of read/write mode
	open		file or directory opened
	moved_to	file or directory moved to watched directory
	moved_from	file or directory moved from watched directory
	move		file or directory moved to or from watched directory
	create		file or directory created within watched directory
	delete		file or directory deleted within watched directory
	delete_self	file or directory was deleted
	unmount		file system containing file or directory unmounted
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53