From owner-freebsd-questions@FreeBSD.ORG Wed Oct 29 01:07:29 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2454816A4CF for ; Wed, 29 Oct 2003 01:07:29 -0800 (PST) Received: from mta6.adelphia.net (mta6.adelphia.net [68.168.78.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id E99B243FDF for ; Wed, 29 Oct 2003 01:07:27 -0800 (PST) (envelope-from andi_payn@speedymail.org) Received: from [10.1.0.9] ([68.65.235.109]) by mta6.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20031029090730.OXYX27924.mta6.adelphia.net@[10.1.0.9]> for ; Wed, 29 Oct 2003 04:07:30 -0500 From: andi payn To: freebsd-questions@freebsd.org In-Reply-To: <20031027113545.GB11587@happy-idiot-talk.infracaninophile.co.uk> References: <000c01c39c3e$72c47950$fe01a8c0@JMICH> <20031027113545.GB11587@happy-idiot-talk.infracaninophile.co.uk> Content-Type: text/plain Message-Id: <1067418435.36829.690.camel@verdammt.falcotronic.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 29 Oct 2003 01:07:26 -0800 Content-Transfer-Encoding: 7bit Subject: Re: Log every access to a file X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Oct 2003 09:07:29 -0000 On Mon, 2003-10-27 at 03:35, Matthew Seaman wrote: > On Mon, Oct 27, 2003 at 11:57:31AM +0800, chael@southgate.ph.inter.net wrote: > > > How do you create/add a system log to monitor every access to a specific file (say a database file accessed through samba)? A sample line for syslog.conf would be greatly appreciated ?? :-) > > Samba has extensive logging capabilities itself -- which generally > bypass syslog entirely, although there are options available to use > syslog. It will certainly log who is accessing the server and from > what machines. I don't think it has the capability to monitor > accesses down to the level of a particular file though, but read the > manuals carefully to be sure. > > If you really need to log all accesses to the file, then probably your > best bet is to only make the file available via a web interface, which > can be set to require passwords before it will allow access and will > supply the logs you require. Alternatively, databases such as > postgres or mysql can keep detailed logs of all queries run against > them. Actually, there are two options that will allow you to monitor accesses of any particular file. The first is to periodically stat that file. This is incredibly simple to do. The disadvantage is that if the file is being accessed very often, you may miss some accesses (if you're checking every second, and two people access in the same second, you'll only see one access); if the file is being accessed very rarely, it's a bit of a waste of cpu and disk time to keep checking it. But, nonetheless, this is sometimes the best way to go. I've attached a script statlog.py (requires python 2.3) that will do it for you. It read a list of filenames (one per line) from /usr/local/etc/statlog.conf, and begins monitoring each one, and outputs to /var/log/statlog.log any time there's been a change to A/M/C time. By default, it checks once/second, but you can change this with the -f flag ("./statlog -f 5" means five times/second, "./statlog -f 0.5" means every two seconds, "./statlog -f 0" means "as often as you can"--which you probably only want to use in conjunction with nice or idprio_. The second is to use fam. I should mention that I've only used fam under linux, and, after a brief glance, it looks like the FreeBSD port (/usr/ports/devel/fam) is not as powerful--in particular, FreeBSD apparently doesn't provide imon support (a way for the filesystem to make a callback to a usermode app like fam--no dnotify or anything similar, either, apparently). Which implies that it's probably just a heavier-weight way of doing the exact same thing--periodically stat'ing a list of files--and that there is no better solution available. But I could be wrong, and it's probably worth testing to see if it works better for you. Also, if the files are stored on nfs-mounted drives (and this may be true for smb also, but I don't know), and the nfs server is running fam, the checks are passed off to the server, which makes them faster (and, if the server is running linux or another imon-capable OS, gets around the worries mentioned above). You should have no problem getting fam itself working if you follow the instructions in the message you get when installing the port/package. Anyway, the second script, famlog.py, is a slightly-modified version of a script that I've used for a similar purpose in linux. It reads the filenames in /usr/local/etc/famlog.conf, tells fam to monitor all of those files, and sends its output to /var/log/famlog.log. If either of these is useful to me, let me know. If you need help automating stuff (making an rc.d/famlog.sh wrapper, and maybe a logrotater), modifying either script to use syslog instead of its own log file (should be a one-line change), etc., just ask. (NOTE: The attachments are scrubbed from the copy of this message sent to the list; if anyone besides the original author wants them, let me know.)