fchange: A File System Watchdog
Steven G. Isaacson
Few things are more annoying for a system administrator
hours figuring out why something no longer works, only
that someone (perhaps another sysadmin, or some user
who knows the
root password) has changed a critical system file. An
change to /etc/profile, for example, can precipitate
of head scratching.
The problem is communication. If you know that the kernel
relinked, or that a uucp configuration file was changed,
you can narrow
your search for the source of the (new) problem.
Rather than rely on my collegues to keep me well-informed,
I use a
utility, fchange, that automatically tells me about
file system changes.
fchange is a filesystem watchdog that sends mail whenever
specified file has changed. For example:
This file was changed recently on Dev
----r----- 1 bin mem 604136 Jul 21 1992 /unix
fchange includes a detailed listing from /bin/ls,
so you know the last modification time, the owner, size,
the modified file. A file-tracking mode will even make
a copy of the
fchange consists of a shell script, a files file (containing
the files to watch and users to notify), and a control
An entry in root's crontab runs fchange every 15 minutes.
The fchange shell script employs a simple algorithm:
while there are more lines to read in the files
file, read them; if the specified file has changed,
To determine if a specified file has changed fchange
the current output from /bin/ls to a previous result.
results are maintained in an automatically generated
log file. fchange
creates a log for each file you want to track. For example,
file for tracking /unix might be called 01.unix.
The first time fchange looks at /unix, 01.unix
is empty, so a new entry is made:
----r------ 1 bin mem 604136 Jul 21 1992 /unix
From then on, fchange works as follows:
it counts the number of lines in the log file;
runs ls -l to add a new line to the log file;
sorts the log file uniquely;
counts the number of lines in the log file again;
checks to see if there is a new line in the log file
after the unique sort has completed; if there is, then
the file (and
now the log file) has changed; sends mail.
In Figure 1 the file has not changed. Figure
the process when the file has changed.
As an added benefit, fchange keeps a running history
changes made to your file. You can see at a glance how
a certain file was changed in the past, say, six months.
The files File
The straightforward files file contains three fields
The first field is an arbitrary string that uniquely
line. I simply "number" the lines, starting
with 01. The second
field contains the directory path and filename. The
third field contains
the mail-to names (or aliases), and the optional keyword
Blank lines and lines beginning with a pound sign are
The optional tracking feature provides two benefits.
First, if the
file you are watching gets removed or horribly corrupted,
a readily accessible backup copy. Second, it makes it
easy to quickly
determine what was changed because you have the before
copy and after
copy in the fchange log directory (see fcdiff below).
Note that the tracking feature also comes with two caveats.
the files are tracked by cat'ing them to the log file.
So if you try
to track a binary file, you'll end up with unusable
copies of it in
the log directory; they will be unusable because new
copies are appended
to the log file, along with a one line date stamp. The
turns to mush.
The second caveat involves the track file itself. If
you are watching
a file that changes several times a day, the track file
grow in size. You may need to put it under maxtab control
Admin, Vol. 2, No. 2, "maxtab: Automatic File Pruning").
fchange requires a control directory. A subdirectory,
within the control directory contains the log files
and any files
that are tracked. For example:
The control directory also contains the files file,
and the fchange.sh script (see Listing 1).
On my primary system, I've scheduled fchange to run
minutes during the day, and once at night. The frequency
by the cron entry that runs fchange.sh.
You can run fchange.sh as often or as little as you
any of the specified files have changed since the last
time it was
run, you will get mail.
I use the utility fcdiff, Listing 2, to find differences
the last two copies of a tracked file. fcdiff must to
in the fchange control directory, because it needs access
the files file.
Usage: fcdiff [-n log number] \
The log number is the key to your file. If you know
the log number,
you can specify it on the command-line and immediately
view the changes.
fcdiff looks in the log directory for the appropriate
file (for example, 14.log.track). The last two entries
track file are then written out to temp files and diffed.
can then quickly see what changed.
If you specify the file name, fcdiff will grep the files
file for the name. The log number is displayed for any
I recommend using fchange to watch and track key files
machine. This is particularly helpful on the occasional
system in which general access is ostensibly denied.
changes, you want to know about it.
In short, fchange is a boon for system administrators.
train the system to watch itself, and it does.
About the Author
Steven G. Isaacson has been writing C and Informix
since 1985. He is currently developing automated testing
FourGen Software, the leading developer of accounting
CASE Tools for the UNIX market. He may be reached via
uunet!4gen!steve1 or firstname.lastname@example.org.