Date: Wed, 29 Oct 2003 01:07:26 -0800 From: andi payn <andi_payn@speedymail.org> To: freebsd-questions@freebsd.org Subject: Re: Log every access to a file Message-ID: <1067418435.36829.690.camel@verdammt.falcotronic.net> In-Reply-To: <20031027113545.GB11587@happy-idiot-talk.infracaninophile.co.uk> References: <000c01c39c3e$72c47950$fe01a8c0@JMICH> <20031027113545.GB11587@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2003-10-27 at 03:35, Matthew Seaman wrote:
> On Mon, Oct 27, 2003 at 11:57:31AM +0800, chael@southgate.ph.inter.net wrote:
>
> > How do you create/add a system log to monitor every access to a specific file (say a database file accessed through samba)? A sample line for syslog.conf would be greatly appreciated ?? :-)
>
> Samba has extensive logging capabilities itself -- which generally
> bypass syslog entirely, although there are options available to use
> syslog. It will certainly log who is accessing the server and from
> what machines. I don't think it has the capability to monitor
> accesses down to the level of a particular file though, but read the
> manuals carefully to be sure.
>
> If you really need to log all accesses to the file, then probably your
> best bet is to only make the file available via a web interface, which
> can be set to require passwords before it will allow access and will
> supply the logs you require. Alternatively, databases such as
> postgres or mysql can keep detailed logs of all queries run against
> them.
Actually, there are two options that will allow you to monitor accesses
of any particular file.
The first is to periodically stat that file. This is incredibly simple
to do. The disadvantage is that if the file is being accessed very
often, you may miss some accesses (if you're checking every second, and
two people access in the same second, you'll only see one access); if
the file is being accessed very rarely, it's a bit of a waste of cpu and
disk time to keep checking it. But, nonetheless, this is sometimes the
best way to go.
I've attached a script statlog.py (requires python 2.3) that will do it
for you. It read a list of filenames (one per line) from
/usr/local/etc/statlog.conf, and begins monitoring each one, and outputs
to /var/log/statlog.log any time there's been a change to A/M/C time. By
default, it checks once/second, but you can change this with the -f flag
("./statlog -f 5" means five times/second, "./statlog -f 0.5" means
every two seconds, "./statlog -f 0" means "as often as you can"--which
you probably only want to use in conjunction with nice or idprio_.
The second is to use fam. I should mention that I've only used fam under
linux, and, after a brief glance, it looks like the FreeBSD port
(/usr/ports/devel/fam) is not as powerful--in particular, FreeBSD
apparently doesn't provide imon support (a way for the filesystem to
make a callback to a usermode app like fam--no dnotify or anything
similar, either, apparently). Which implies that it's probably just a
heavier-weight way of doing the exact same thing--periodically stat'ing
a list of files--and that there is no better solution available.
But I could be wrong, and it's probably worth testing to see if it works
better for you. Also, if the files are stored on nfs-mounted drives (and
this may be true for smb also, but I don't know), and the nfs server is
running fam, the checks are passed off to the server, which makes them
faster (and, if the server is running linux or another imon-capable OS,
gets around the worries mentioned above).
You should have no problem getting fam itself working if you follow the
instructions in the message you get when installing the port/package.
Anyway, the second script, famlog.py, is a slightly-modified version of
a script that I've used for a similar purpose in linux. It reads the
filenames in /usr/local/etc/famlog.conf, tells fam to monitor all of
those files, and sends its output to /var/log/famlog.log.
If either of these is useful to me, let me know. If you need help
automating stuff (making an rc.d/famlog.sh wrapper, and maybe a
logrotater), modifying either script to use syslog instead of its own
log file (should be a one-line change), etc., just ask.
(NOTE: The attachments are scrubbed from the copy of this message sent
to the list; if anyone besides the original author wants them, let me
know.)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1067418435.36829.690.camel>