Solved

Log deleted files

Posted on 2006-10-30
12
380 Views
Last Modified: 2010-04-22
I am having an issue where a file is getting deleted, and I am trying to track down the cause.  It doesn't seem to be a user deleting it on purpose, it may be a script that is deleting it.  I would like to log all file deletions so I can find out who and what time this file is being deleted.  I am running RHEL 4.
0
Comment
Question by:rtwilde
  • 6
  • 5
12 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 17836093
0
 

Author Comment

by:rtwilde
ID: 17837196
ravenpl:

Thanks for the links,  but I didn't see what I'm looking for.  I tried fileschanged, but it gives me errors.  I am not looking for something I can incorporate into a program, like the 1st and last links seem to be, rather I am looking for something that can run unattended and log all file deletions from any process (or within a directory).
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17840388
Well, it depends what You need. I downloaded and installed (on RH 4.4) http://surfnet.dl.sourceforge.net/sourceforge/fileschanged/fileschanged-0.6.5-0.i386.rpm
run: fileschanged -r -p -s deleted /tmp
on another console: touch /tmp/file1; rm /tmp/file1
the output from fileschanged was
R /tmp/file1

therefore removed file was logged. No timestamp? You can workaround it. Create script and make it executeable
#!/bin/sh
echo "`date` :" $@

and run: fileschanged -r -p -s deleted -x /path/to/script /tmp
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 43

Accepted Solution

by:
ravenpl earned 500 total points
ID: 17840405
Or You simply don't know hot to run it unattended?
the script:
#!/bin/sh
echo "`date` :" $@ >> /path/to/logfile

the run command
nohup fileschanged -rps deleted -x /path/to/script /dir/to/watch &

You can put it into /etc/rc.d/rc.local so it will start automatically with the system.
0
 

Author Comment

by:rtwilde
ID: 17844759
I think I'm getting it now...

I've installed this, and it seems to work, the only question I have - is it possible to also display the username or UID of person doing the deleting?

Also, I've noticed that when monitoring a directory recursively with a large amount of files, it doesn't always show when I've deleted a file.  I'm still testing this, to see if it's something I'm doing.

Thanks.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17845087
> is it possible to also display the username or UID of person doing the deleting?
That's the drawback - if possible, never invented how.
I also looked into FAMEvent - seems that there is no room for that information :(
0
 

Author Comment

by:rtwilde
ID: 17850033
Hmmm, unfortunately, who deletes is important to me, but I am much further along thanks to your help.  Is there another area I could ask this question, or is this something I would have to re-write the ext3 code to do (not an option, BTW)?
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17850154
> Hmmm, unfortunately, who deletes is important to me
I know - I faced the problem myself...
> Is there another area I could ask this question
Try making pointer question at Linux Programming area. Maybe someone... Try it.
> or is this something I would have to re-write the ext3 code to do
Rather linux VFS code. The inotify code...
0
 

Author Comment

by:rtwilde
ID: 17850291
Thank you ravenpl for your help.
0
 

Expert Comment

by:winsoc
ID: 17850338
Hello ravenpl you need tripwire to do this for you.
Read the documentation and install the open source version.

Regards.

0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17850459
tripwire? I thought it's database, which is compared and updated everytime it's run. Used to verify which files are changed.
How can it provide the info who changed/removed the file?
[ If You can answer this, I'll open new Q to give You points for that ]
0
 

Author Comment

by:rtwilde
ID: 17850810
If tripwire can tell me who deleted something, that would be exactly what I need, but a bit of help with it would be appreciated.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port Scanner 5 108
Linux Permissions Issue (Can't Upload) 6 94
Centos 6 User Can't Assign Password 2 73
(Open)LDAP V2.44  search proxy to AD (W2012R2) 37 210
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question