Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rflament/loggedfs

LoggedFS - Filesystem monitoring with Fuse
https://github.com/rflament/loggedfs

filesystem filesystem-monitoring fuse loggedfs logging monitoring

Last synced: 3 months ago
JSON representation

LoggedFS - Filesystem monitoring with Fuse

Host: GitHub
URL: https://github.com/rflament/loggedfs
Owner: rflament
License: apache-2.0
Created: 2016-09-29T18:38:56.000Z (over 8 years ago)
Default Branch: master
Last Pushed: 2022-12-30T00:37:36.000Z (about 2 years ago)
Last Synced: 2024-08-01T15:32:32.242Z (6 months ago)
Topics: filesystem, filesystem-monitoring, fuse, loggedfs, logging, monitoring
Language: C++
Size: 812 KB
Stars: 115
Watchers: 10
Forks: 28
Open Issues: 7
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # LoggedFS - Filesystem monitoring with Fuse

[![Build Status](https://travis-ci.org/rflament/loggedfs.svg?branch=feature%2Feasylogging%2B%2B)](https://travis-ci.org/rflament/loggedfs)

Donate Ethereum: 0xd13338639d2d3eCeBea0B53C8E4C9085aa21Ccb2

## Description

LoggedFS is a [FUSE](https://en.wikipedia.org/wiki/Filesystem_in_Userspace)-based filesystem which can log every operations that happens in it.

### How does it work ?

FUSE does almost everything. LoggedFS only sends a message to syslog when called by FUSE and then let the real filesystem do the rest of the job.

## Installation

If LoggedFS 0.9 is included in your distribution you can just install with your package manager:

    sudo apt-get install loggedfs

## Simplest usage

To record access to `/tmp/TEST` into `~/log.txt`, just do:

    loggedfs -l ~/log.txt /tmp/TEST

To stop recording, just `unmount` as usual:

    sudo umount /tmp/TEST

The `~/log.txt` file will need to be changed to readable by setting permissions:

    chmod 0666 ~/log.txt

## Installation from source

First you have to make sure that FUSE is installed on your computer.

If you have a recent distribution it should be. FUSE can be downloaded here: [github.com/libfuse/libfuse](https://github.com/libfuse/libfuse).

Then you should download the LoggedFS source code archive and install it with the `make` command:

    sudo apt-get install libfuse-dev libxml2-dev libpcre2-dev

    wget https://github.com/rflament/loggedfs/archive/loggedfs-0.X.tar.gz

    tar xfz loggedfs-0.X.tar.gz

    cd loggedfs-loggedfs-0.X

    make

    make install

LoggedFS has the following dependencies:

    fuse

    pcre2

    libxml2

## Configuration

LoggedFS can use an XML configuration file if you want it to log operations only for certain files, for certain users, or for certain operations.

Here is a sample configuration file :

    

    

      

        

      

      

        

        

        

      

    

This configuration can be used to log everything except it if concerns a `*.bak` file, or if the uid is 1000, or if the operation is `getattr`.

## Launching LoggedFS

If you just want to test LoggedFS you don't need any configuration file.

Just use that command:

    loggedfs -f -p /var

You should see logs like these :

    tail -f /var/log/syslog

    2018-03-21 15:32:14,095 INFO [default] LoggedFS not running as a daemon

    2018-03-21 15:32:14,095 INFO [default] LoggedFS running as a public filesystem

    2018-03-21 15:32:14,095 INFO [default] LoggedFS starting at /var.

    2018-03-21 15:32:14,095 INFO [default] chdir to /var

    2018-03-21 15:32:15,375 INFO [default] getattr /var/ {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]

    2018-03-21 15:32:15,375 INFO [default] getattr /var/run {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]

    2018-03-21 15:32:15,376 INFO [default] readlink /var/run {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]

    2018-03-21 15:32:15,376 INFO [default] readlink /var/run {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]

    2018-03-21 15:32:15,890 INFO [default] getattr /var/cache {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]

    2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]

    2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt/archives {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]

    2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt/archives/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]

    2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt/archives/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]

    2018-03-21 15:32:15,892 INFO [default] getattr /var/lib {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]

    2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]

    2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt/lists {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]

    2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt/lists/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]

    2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt/lists/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]

    2018-03-21 15:32:17,873 INFO [default] LoggedFS closing.

If you have a configuration file to use you should use this command:

    ./loggedfs -c loggedfs.xml -p /var

If you want to log what other users do on your filesystem, you should use the `-p` option to allow them to see your mounted files. For a complete documentation see the manual page.

Rémi Flament - remipouak at gmail.com