Solved

Log deleted files

Posted on 2006-10-30
12
379 Views
Last Modified: 2010-04-22
I am having an issue where a file is getting deleted, and I am trying to track down the cause.  It doesn't seem to be a user deleting it on purpose, it may be a script that is deleting it.  I would like to log all file deletions so I can find out who and what time this file is being deleted.  I am running RHEL 4.
0
Comment
Question by:rtwilde
  • 6
  • 5
12 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 17836093
0
 

Author Comment

by:rtwilde
ID: 17837196
ravenpl:

Thanks for the links,  but I didn't see what I'm looking for.  I tried fileschanged, but it gives me errors.  I am not looking for something I can incorporate into a program, like the 1st and last links seem to be, rather I am looking for something that can run unattended and log all file deletions from any process (or within a directory).
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17840388
Well, it depends what You need. I downloaded and installed (on RH 4.4) http://surfnet.dl.sourceforge.net/sourceforge/fileschanged/fileschanged-0.6.5-0.i386.rpm
run: fileschanged -r -p -s deleted /tmp
on another console: touch /tmp/file1; rm /tmp/file1
the output from fileschanged was
R /tmp/file1

therefore removed file was logged. No timestamp? You can workaround it. Create script and make it executeable
#!/bin/sh
echo "`date` :" $@

and run: fileschanged -r -p -s deleted -x /path/to/script /tmp
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 43

Accepted Solution

by:
ravenpl earned 500 total points
ID: 17840405
Or You simply don't know hot to run it unattended?
the script:
#!/bin/sh
echo "`date` :" $@ >> /path/to/logfile

the run command
nohup fileschanged -rps deleted -x /path/to/script /dir/to/watch &

You can put it into /etc/rc.d/rc.local so it will start automatically with the system.
0
 

Author Comment

by:rtwilde
ID: 17844759
I think I'm getting it now...

I've installed this, and it seems to work, the only question I have - is it possible to also display the username or UID of person doing the deleting?

Also, I've noticed that when monitoring a directory recursively with a large amount of files, it doesn't always show when I've deleted a file.  I'm still testing this, to see if it's something I'm doing.

Thanks.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17845087
> is it possible to also display the username or UID of person doing the deleting?
That's the drawback - if possible, never invented how.
I also looked into FAMEvent - seems that there is no room for that information :(
0
 

Author Comment

by:rtwilde
ID: 17850033
Hmmm, unfortunately, who deletes is important to me, but I am much further along thanks to your help.  Is there another area I could ask this question, or is this something I would have to re-write the ext3 code to do (not an option, BTW)?
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17850154
> Hmmm, unfortunately, who deletes is important to me
I know - I faced the problem myself...
> Is there another area I could ask this question
Try making pointer question at Linux Programming area. Maybe someone... Try it.
> or is this something I would have to re-write the ext3 code to do
Rather linux VFS code. The inotify code...
0
 

Author Comment

by:rtwilde
ID: 17850291
Thank you ravenpl for your help.
0
 

Expert Comment

by:winsoc
ID: 17850338
Hello ravenpl you need tripwire to do this for you.
Read the documentation and install the open source version.

Regards.

0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17850459
tripwire? I thought it's database, which is compared and updated everytime it's run. Used to verify which files are changed.
How can it provide the info who changed/removed the file?
[ If You can answer this, I'll open new Q to give You points for that ]
0
 

Author Comment

by:rtwilde
ID: 17850810
If tripwire can tell me who deleted something, that would be exactly what I need, but a bit of help with it would be appreciated.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question