From owner-freebsd-questions@FreeBSD.ORG Sat Nov 22 15:17:08 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BE1C16A4CE for ; Sat, 22 Nov 2003 15:17:08 -0800 (PST) Received: from ms-smtp-03-eri0.southeast.rr.com (ms-smtp-03-lbl.southeast.rr.com [24.25.9.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5290343FD7 for ; Sat, 22 Nov 2003 15:17:07 -0800 (PST) (envelope-from wegster@mindcore.net) Received: from mindcore.net (rdu163-100-105.nc.rr.com [24.163.100.105]) hAMNH1Fm000474; Sat, 22 Nov 2003 18:17:01 -0500 (EST) Message-ID: <3FBFEE6B.4000803@mindcore.net> Date: Sat, 22 Nov 2003 18:16:59 -0500 From: Scott W User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: cpghost@cordula.ws References: <200311222258.hAMMwApd092388@fw.farid-hajji.net> In-Reply-To: <200311222258.hAMMwApd092388@fw.farid-hajji.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Monitoring a file? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2003 23:17:08 -0000 Cordula's Web wrote: >Hello list, > >maybe someone knows the answer for the following problem already? > >Summary: >======== > What is the canonical way to monitor accesses to a file? > >Problem description: >==================== > > A file, let's say, /path/to/a/file, is being modified by > an unknown process P(u) at random times. Unfortunately, > the name of the program ran by P(u) is unknown. > > The goal is to catch P(u) "red-handed," just the moment > it accesses /path/to/a/file, e.g. by looking up in the > process table with ps(1). > >No solutions: >============= > > 1. Polling /path/to/a/file with stat(), lstat(), fstat(), > and running a ps(1) as soon as the access times change; > then diff(1) on all ps listings, trying to identify P(u). > > This solution is not good enough, because P(u) runs faster > than the polling interval, and setting this polling interval > to very small values is too expensive on a production server. > > 2. NFS mounting /path/to/a/file, and modifying nfsd(1) in such > a way, that it runs ps(1) as soon as a request for > /path/to/a/file is received. Let's call the modified > nfsd nfsd-debug. Of course debug-nfsd and P(u) must run > on the same machine. > > This is not good enough either, because ps(1)-listing > is too long, and not always conclusive. > > 3. Using kqueue(2) and kevent(2) in a monitoring process > P(m). P(m) would be attached to /path/to/a/file, and > would use kevent(2) to receive kernel notifications > as soon as /path/to/a/file is touched. > > Probably not enough either, because it is not possible to > know which process triggered the event, only that an > event occured on that vnode. > > -> Is that correct? I'm not familiar enough with kevent(2). > >Question: >========= > > I assume that some kind of monitoring process P(m) is > needed, which would attach to /path/to/a/file, use kevent(2) > to get notifications from the kernel. Now, how could P(m) > find out, which process generated the events it gets? > >Alternative question: >===================== > > Is there another, preferably clever, way to solve this problem? > >Thank you. > > > You may want to take a look at 'fam,' in /usr/ports/devel/fam , as some of the code's already been done for this type of monitoring AFAIK... Scott