Skip to content

rflament/loggedfs

Repository files navigation

LoggedFS - Filesystem monitoring with Fuse

Build Status

Donate Ethereum: 0xd13338639d2d3eCeBea0B53C8E4C9085aa21Ccb2

Description

LoggedFS is a FUSE-based filesystem which can log every operations that happens in it.

How does it work ?

FUSE does almost everything. LoggedFS only sends a message to syslog when called by FUSE and then let the real filesystem do the rest of the job.

Installation

If LoggedFS 0.9 is included in your distribution you can just install with your package manager:

sudo apt-get install loggedfs

Simplest usage

To record access to /tmp/TEST into ~/log.txt, just do:

loggedfs -l ~/log.txt /tmp/TEST

To stop recording, just unmount as usual:

sudo umount /tmp/TEST

The ~/log.txt file will need to be changed to readable by setting permissions:

chmod 0666 ~/log.txt

Installation from source

First you have to make sure that FUSE is installed on your computer. If you have a recent distribution it should be. FUSE can be downloaded here: github.com/libfuse/libfuse.

Then you should download the LoggedFS source code archive and install it with the make command:

sudo apt-get install libfuse-dev libxml2-dev libpcre2-dev
wget https://github.com/rflament/loggedfs/archive/loggedfs-0.X.tar.gz
tar xfz loggedfs-0.X.tar.gz
cd loggedfs-loggedfs-0.X
make
make install

LoggedFS has the following dependencies:

fuse
pcre2
libxml2

Configuration

LoggedFS can use an XML configuration file if you want it to log operations only for certain files, for certain users, or for certain operations.

Here is a sample configuration file :

<?xml version="1.0" encoding="UTF-8"?>

<loggedFS logEnabled="true" printProcessName="true">
  <includes>
    <include extension=".*" uid="*" action=".*" retname=".*"/>
  </includes>
  <excludes>
    <exclude extension=".*\.bak$" uid="*" action=".*" retname="SUCCESS"/>
    <exclude extension=".*" uid="1000" action=".*" retname="FAILURE"/>
    <exclude extension=".*" uid="*" action="getattr" retname=".*"/>
  </excludes>
</loggedFS>

This configuration can be used to log everything except it if concerns a *.bak file, or if the uid is 1000, or if the operation is getattr.

Launching LoggedFS

If you just want to test LoggedFS you don't need any configuration file.

Just use that command:

loggedfs -f -p /var

You should see logs like these :

tail -f /var/log/syslog
2018-03-21 15:32:14,095 INFO [default] LoggedFS not running as a daemon
2018-03-21 15:32:14,095 INFO [default] LoggedFS running as a public filesystem
2018-03-21 15:32:14,095 INFO [default] LoggedFS starting at /var.
2018-03-21 15:32:14,095 INFO [default] chdir to /var
2018-03-21 15:32:15,375 INFO [default] getattr /var/ {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]
2018-03-21 15:32:15,375 INFO [default] getattr /var/run {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]
2018-03-21 15:32:15,376 INFO [default] readlink /var/run {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]
2018-03-21 15:32:15,376 INFO [default] readlink /var/run {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]
2018-03-21 15:32:15,890 INFO [default] getattr /var/cache {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt/archives {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt/archives/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt/archives/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,892 INFO [default] getattr /var/lib {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt/lists {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt/lists/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt/lists/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:17,873 INFO [default] LoggedFS closing.

If you have a configuration file to use you should use this command:

./loggedfs -c loggedfs.xml -p /var

If you want to log what other users do on your filesystem, you should use the -p option to allow them to see your mounted files. For a complete documentation see the manual page.

Rémi Flament - remipouak at gmail.com