---
Author: Kristof Vandam
Categories:
- tools
- administration
Date: 2018-11-05T22:13:49+02:00
Draft: false
Tags:
- directory
- size
- inventory
Title: 'Fatrace: Report system wide file access events'
Truncated: true
---

fatrace watches every file on server (except from itself and other kernel file systems).
<!--more-->
*fatrace* watches every file on server (except from itself and other kernel file systems).


## Install on Centos7
Download the repo file from *fedorainfracloud.org*

```.language-command
sudo curl https://copr.fedorainfracloud.org/coprs/ifas/fatrace/repo/epel-7/ifas-fatrace-epel-7.repo > /etc/yum.repos.d/ifas.repo
sudo yum install fatrace -y
```

## Usage

Option                        | Description                                                                                                                              
------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------
-c, --current-mount           | Only  record  events  on partition/mount of current directory. Without this option, all (real) partitions/mount points are being watched.
-o FILE, --output=FILE        | Write events to given file instead of standard output.
-s SECONDS, --seconds=SECONDS | Stop after the given number of seconds.
-t, --timestamp               | Add timestamp to events. When this option is given once, the format will be a humanreadable|hour:minute:second.microsecond
-p PID, --ignore-pid=PID      | Ignore events for this process ID. Can be specified multiple times.

### Output

The output should look something like the following. My action was reloading this page while watching with fatrace.

```.language-command
$ fatrace -t
12:58:20.859174 pickup(7666): CO /var/spool/postfix/maildrop
12:58:21.017572 caddy(7472): CO /var/www/vhosts/blog/tools/fatrace
12:58:21.017572 caddy(7472): CO /var/www/vhosts/blog/tools/fatrace/index.html
12:58:21.017572 caddy(7472): W /var/log/caddy/blog.log
12:58:21.213908 caddy(7472): CO /var/www/vhosts/blog/index.json
12:58:21.213908 caddy(7472): W /var/log/caddy/blog.log
12:58:21.305848 caddy(7472): RCO /var/www/vhosts/blog/img/favicon.png
12:58:21.305848 caddy(7472): W /var/log/caddy/blog.log
```

Letter   | Description
---------|------------
R        | Read
W        | Write
O        | Open
C        | Close

Action identifiers can be combined

## Usecases

identifying which files are accessed by a process.

## References

[Manpage fatrace](http://manpages.ubuntu.com/manpages/trusty/man1/fatrace.1.html)