In Linux to read File System Events, most of us use Inotify which is really a Good One. But it has it's limitations. I have to keep track of all the directories i have to watch and get a inotify descriptor for each and every directory. Let's say i want to monitor my Whole System and it has about 10 million directories. Listing and queuing them for inotify API itself would take hours. It would eat a lot of memory also. And i certainly can't watch directories more than that specified in max_user_watches in /etc/syscntl.conf or /proc/sys/fs/inotify/max_user_watches .
But we know that each and every file system event is monitored by Kernel and we use inotify API to register for a certain directory modifications. But how do i read fs events directly from kernel without API ..? [ In Mac OS X, i can read from /dev/fsevents , likewise if i can read from /proc or something like that, it would be great]. I'm ready to write a Kernel Module too, but please share some light on this.
Did you look at the virus scanner stuff? Ie, Fanotify, also fsnotify and hooked to dnotify and inotify. This depends on kernel version; present in some form since approximately 2.6.36 (early 2011).
Some kernel files,
Lwn.net links,
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With