Donate Ethereum: 0xd13338639d2d3eCeBea0B53C8E4C9085aa21Ccb2
LoggedFS is a FUSE-based filesystem which can log every operations that happens in it.
FUSE does almost everything. LoggedFS only sends a message to syslog when called by FUSE and then let the real filesystem do the rest of the job.
If LoggedFS 0.9 is included in your distribution you can just install with your package manager:
sudo apt-get install loggedfs
To record access to /tmp/TEST
into ~/log.txt
, just do:
loggedfs -l ~/log.txt /tmp/TEST
To stop recording, just unmount
as usual:
sudo umount /tmp/TEST
The ~/log.txt
file will need to be changed to readable by setting permissions:
chmod 0666 ~/log.txt
First you have to make sure that FUSE is installed on your computer. If you have a recent distribution it should be. FUSE can be downloaded here: github.com/libfuse/libfuse.
Then you should download the LoggedFS source code archive and install it with the make
command:
sudo apt-get install libfuse-dev libxml2-dev libpcre2-dev
wget https://github.com/rflament/loggedfs/archive/loggedfs-0.X.tar.gz
tar xfz loggedfs-0.X.tar.gz
cd loggedfs-loggedfs-0.X
make
make install
LoggedFS has the following dependencies:
fuse
pcre2
libxml2
LoggedFS can use an XML configuration file if you want it to log operations only for certain files, for certain users, or for certain operations.
Here is a sample configuration file :
<?xml version="1.0" encoding="UTF-8"?>
<loggedFS logEnabled="true" printProcessName="true">
<includes>
<include extension=".*" uid="*" action=".*" retname=".*"/>
</includes>
<excludes>
<exclude extension=".*\.bak$" uid="*" action=".*" retname="SUCCESS"/>
<exclude extension=".*" uid="1000" action=".*" retname="FAILURE"/>
<exclude extension=".*" uid="*" action="getattr" retname=".*"/>
</excludes>
</loggedFS>
This configuration can be used to log everything except it if concerns a *.bak
file, or if the uid is 1000, or if the operation is getattr
.
If you just want to test LoggedFS you don't need any configuration file.
Just use that command:
loggedfs -f -p /var
You should see logs like these :
tail -f /var/log/syslog
2018-03-21 15:32:14,095 INFO [default] LoggedFS not running as a daemon
2018-03-21 15:32:14,095 INFO [default] LoggedFS running as a public filesystem
2018-03-21 15:32:14,095 INFO [default] LoggedFS starting at /var.
2018-03-21 15:32:14,095 INFO [default] chdir to /var
2018-03-21 15:32:15,375 INFO [default] getattr /var/ {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]
2018-03-21 15:32:15,375 INFO [default] getattr /var/run {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]
2018-03-21 15:32:15,376 INFO [default] readlink /var/run {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]
2018-03-21 15:32:15,376 INFO [default] readlink /var/run {SUCCESS} [ pid = 934 /usr/sbin/VBoxService uid = 0 ]
2018-03-21 15:32:15,890 INFO [default] getattr /var/cache {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt/archives {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt/archives/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,891 INFO [default] getattr /var/cache/apt/archives/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,892 INFO [default] getattr /var/lib {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt/lists {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt/lists/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:15,892 INFO [default] getattr /var/lib/apt/lists/partial {SUCCESS} [ pid = 1539 update-notifier uid = 1000 ]
2018-03-21 15:32:17,873 INFO [default] LoggedFS closing.
If you have a configuration file to use you should use this command:
./loggedfs -c loggedfs.xml -p /var
If you want to log what other users do on your filesystem, you should use the -p
option to allow them to see your mounted files. For a complete documentation see the manual page.
Rémi Flament - remipouak at gmail.com