LoggedFS - Filesystem monitoring with Fuse


Donate Ethereum: 0x83FBC94FBca4e2f10Bede63e16C5b0Bb31a1Fed1


LoggedFS is a fuse-based filesystem which can log every operations that happens in it.

How does it work ?

Fuse does almost everything. LoggedFS only sends a message to syslog when called by fuse and then let the real filesystem do the rest of the job.


If loggedfs is included in your distribution you can just install with your package manager.

Installation from source

First you have to make sure that fuse is installed on your computer. If you have a recent distribution it should be. Fuse can be downloaded here : https://github.com/libfuse/libfuse. Then you should download the loggedfs archive and install it with the make command :

wget https://github.com/rflament/loggedfs/archive/loggedfs-0.9.tar.gz
tar xfz loggedfs-0.9.tar.gz
cd loggedfs-loggedfs-0.9
make install

LoggedFS has the following dependencies :



LoggedFS can use an XML configuration file if you want it to log operations only for certain files, for certain users, or for certain operations.

Here is a sample configuration file :

<?xml version="1.0" encoding="UTF-8"?>

<loggedFS logEnabled="true" printProcessName="true">
    <include extension=".*" uid="*" action=".*" retname=".*"/>
    <exclude extension=".*\.bak$" uid="*" action=".*" retname="SUCCESS"/>
    <exclude extension=".*" uid="1000" action=".*" retname="FAILURE"/>
    <exclude extension=".*" uid="*" action="getattr" retname=".*"/>

This configuration can be used to log everything except it if concerns a *.bak file, or if the uid is 1000, or if the operation is getattr.

Launching LoggedFS

If you just want to test LoggedFS you don't need any configuration file.

Just use that command :

loggedfs -f -p /var

You should see logs like these :

tail -f /var/log/syslog
17:29:34 (src/loggedfs.cpp:552) LoggedFS running as a public filesystem
17:29:34 (src/loggedfs.cpp:547) LoggedFS not running as a daemon
17:29:34 (src/loggedfs.cpp:666) LoggedFS starting at /var.
17:29:34 (src/loggedfs.cpp:691) chdir to /var
17:29:35 (src/loggedfs.cpp:136) getattr /var/ {SUCCESS} [ pid = 8700 kded [kdeinit] uid = 1000 ]
17:29:41 (src/loggedfs.cpp:136) getattr /var/ {SUCCESS} [ pid = 10923 ls uid = 1000 ]
17:29:41 (src/loggedfs.cpp:136) getattr /var/run {SUCCESS} [ pid = 10923 ls uid = 1000 ]
17:29:41 (src/loggedfs.cpp:136) getattr /var/run/nscd {FAILURE} [ pid = 10923 ls uid = 1000 ]
17:29:41 (src/loggedfs.cpp:136) readdir /var/ {SUCCESS} [ pid = 10923 ls uid = 1000 ]
17:29:41 (src/loggedfs.cpp:136) getattr /var/pouak {SUCCESS} [ pid = 10923 ls uid = 1000 ]

If you have a configuration file to use you should use this command :

./loggedfs -c loggedfs.xml -p /var

If you want to log what other users do on your filesystem, you should use the -p option to allow them to see your mounted files. For a complete documentation see the manual page

RĂ©mi Flament - remipouak at gmail.com