Terry : Use inotify to monitor file system activity

Install inotify-tools


How to use inotify-tools

Example, recursively watching ~/.config/google-chrome for 60 seconds while using Chrome.

terry@tux:~$ inotifywatch -v -e access -e modify -t 60 -r ~/.config/google-chrome/
Establishing watches...
Setting up watch(es) on /home/terry/.config/google-chrome/
OK, /home/terry/.config/google-chrome/ is now being watched.
Total of 576 watches.
Finished establishing watches, now collecting statistics.
Will listen for events for 60 seconds.
total access modify filename
120 8 112 /home/terry/.config/google-chrome/Default/databases/chrome-extension_cnfkkfleeiooolklkgkmigodkmcopnji_0/
58 2 56 /home/terry/.config/google-chrome/Default/
29 29 0 /home/terry/.config/google-chrome/Default/databases/
18 1 17 /home/terry/.config/google-chrome/Default/Local Storage/
2 2 0 /home/terry/.config/google-chrome/Default/databases/chrome-extension_mnaelnkmidnndgikjbiifihgklnocljd_0/

What is incron

Description: cron-like daemon which handles filesystem events
incron is an "inotify cron" system. It works like the regular cron but is driven by filesystem events instead of time events. This package provides two programs, a daemon called "incrond" (analogous to crond) and a table manipulator "incrontab" (like "crontab").

incron uses the Linux Kernel inotify syscalls.

like cron, each user can edit its own incron tables.

incron can be used to :

  • notifying programs (e.g. server daemons) about changes in configuration
  • guarding changes in critical files (with their eventual recovery)
  • file usage monitoring, statistics
  • automatic on-crash cleanup
  • automatic on-change backup or versioning
  • new mail notification (for maildir)
  • server upload notification
  • installation management (outside packaging systems)
  • ... and many others

Homepage: http://inotify.aiken.cz/


apt-get install incron

Configuration files

  • /etc/incron.conf - Main incron configuration file
  • /etc/incron.d/ - This directory is examined by incrond for system table files. You should put all your config file here as per directory or domain names.
  • /etc/incron.allow - This file contains users allowed to use incron.
  • /etc/incron.deny - This file contains users denied to use incron.
  • /var/spool/incron - This directory is examined by incrond for user table files which is set by users running the incrontab command.

incron Syntax


<directory> <file change mask> <command or action> options
/var/www/html IN_CREATE /root/scripts/backup.sh
/sales IN_DELETE /root/scripts/sync.sh
/var/named/chroot/var/master IN_CREATE,IN_ATTRIB,IN_MODIFY /sbin/rndc reload


<directory> - It is nothing but path which is an absolute filesystem path such as /home/data. Any changes made to this path will result into command or action.

<file change mask> - Mask is is nothing but various file system events such as deleting a file. Each event can result into command execution. Use the following masks:

  • IN_ACCESS - File was accessed (read)
  • IN_ATTRIB - Metadata changed (permissions, timestamps, extended attributes, etc.)
  • IN_CLOSE_WRITE - File opened for writing was closed
  • IN_CLOSE_NOWRITE - File not opened for writing was closed
  • IN_CREATE - File/directory created in watched directory
  • IN_DELETE - File/directory deleted from watched directory
  • IN_DELETE_SELF - Watched file/directory was itself deleted
  • IN_MODIFY - File was modified
  • IN_MOVE_SELF - Watched file/directory was itself moved
  • IN_MOVED_FROM - File moved out of watched directory
  • IN_MOVED_TO - File moved into watched directory
  • IN_OPEN - File was opened
  • The IN_ALL_EVENTS symbol is defined as a bit mask of all of the above events.

<command or action> - Run command or scripts when mask matched on given directory.

options - It can be any one of the following with command (i.e. you can pass it as arg to your command):

  1. $$ - dollar sign
  2. $@ - watched filesystem path (see above)
  3. $# - event-related file name
  4. $% - event flags (textually)
  5. $& - event flags (numerically)

Turn the service on

service incrond start

Make it auto start when booting

 chkconfig --level 345 iocrond on


Type the following command to edit your incrontab

incrontab -e

Run logger command when file created or deleted from /tmp directory

/tmp IN_ALL_EVENTS logger "/tmp action for $# file"

Save and close the file. Now cd to /tmp and create a file

$ cd /tmp
$ >foo
$ rm foo

To see message, enter

$ sudo tail -f /var/log/messages

Sample outputs

Jul 17 18:39:25 support logger: "/tmp action for foo file"



Monitor file system activity with inotify

Linux incrond inotify: Monitor Directories For Changes And Take Action