How can I monitor a whole directory tree for changes in Linux (ext3 file system)?

Currently the directory contains about half a million files in about 3,000 subdirectories, organized in three directory levels.

Those are mostly small files (< 1kb, some few up to 100 kb). It's a sort of queue and I need to know when files are being created, deleted or their content modified within 5-10 seconds of that happening.

I know there is inotify and sorts, but AFAIK they only monitor a single directory, which means I would need 3,000 inotify handles in my case - more than the usual 1024 handles allowed for a single process. Or am I wrong?

In case the Linux system can't tell me what I need: perhaps there is a FUSE project that simulates a file system (replicating all file accesses on a real file system) and separately logs all modifications (couldn't fine one)?

To my knowledge, there's no other way than recursively setting an inotify watch on each directory.

That said, you won't run out of file descriptors because inotify does not have to reserve an fd to watch a file or a directory (its predecessor, dnotify, did suffer from this limitation). inotify uses "watch descriptors" instead.

According to the documentation for inotifywatch, the default limit is 8192 watch descriptors, and you can increase it by writing the new value to /proc/sys/fs/inotify/max_user_watches.

I've done something similar using the inotifywait tool:

#!/bin/bash
while true; do

inotifywait -e modify,create,delete -r /path/to/your/dir && \
<some command to execute when a file event is recorded>

done

This will setup recursive directory watches on the entire tree and allow you to execute a command when something changes. If you just want to view the changes, you can add the -m flag to put it into monitor mode.

$ inotifywait -m -r /path/to/your/directory

This command is enough to watch the directory recursively for all events such as access, open, create, delete ...

To my knowledge, there's no other way than recursively setting an inotify watch on each directory.

That said, you won't run out of file descriptors because inotify does not have to reserve an fd to watch a file or a directory (its predecessor, dnotify, did suffer from this limitation). inotify uses "watch descriptors" instead.

According to the documentation for inotifywatch, the default limit is 8192 watch descriptors, and you can increase it by writing the new value to /proc/sys/fs/inotify/max_user_watches.

inotify is the best option when you have many subdirectories but if not I am used to using this command below:

watch -d find <<path>>

Use inotifywait from inotify-tools:

sudo apt install inotify-tools

Now create a script myscript.sh that includes hidden files and folders too:

#!/bin/bash
while true; do

inotifywait -e modify,create,delete,move -r $1

done

Make the script executable with chmod +x myscript.sh

Run it with ./myscript.sh /folder/to/monitor

If you don't provide argument it will use the working directory by default.

Also, you can run several commands adding && \ at the end of the previous command to add the next one:

#!/bin/bash
while true; do

inotifywait -e modify,create,delete,move -r $1 && \
echo "event" && \
echo "event 2"

done

If you don't want to execute any command on events, just run the command directly with the -m modifier so doesn't close:

inotifywait -e modify,create,delete,move -m -r /path/to/your/dir

I have a different suggestion, only for changes in the files, and record history changes

use git

cd /folder_to_monitor
git init
git add *
git commit -m "first snapshot"

so after you make the changes

git diff

Wasn't fanotify supposed to provide that capability eventually? Quoting LWN:

“fanotify has two basic 'modes' directed and global. [...] fanotify global instead indicates that it wants everything on the system and then individually marks inodes that it doesn't care about.”

I lost track what its latest status was, though.

Especially for large or complex monitoring tasks in which you want to trigger events based on what you see, check out Watchman A file watching service. Here is a simple example to run a tool named minify-css whenever a CSS file is changed:

$ watchman watch ~/src
$ watchman -- trigger ~/src buildme '*.css' -- minify-css

It does comprehensive logging, can efficiently handle multiple watches that overlap in a directory structure, can be administered from the command line or via json, and much more. See also

• Watchman – A File and Directory Watching Tool for Changes

It is available via Debian Sid and Ubuntu 20.04, and has nearly made it in to Fedora twice from what I can see (1450590 and 1564720).

I was facing the same problem, having a program that was creating some files (starting with a dot) whose content I wanted to manually inspect, but it automatically deleted them again soon after creation.

Using inotify in a loop without the monitor option didn't work for me, because it was too slow and missed events, so I came up with this script:

target="$1"

cd "$target"
mkdir backup/

inotifywait -e modify,create,delete --monitor -r --include "\..*" "$target" | \
while read line
do
  echo "$line"
  if [[ "$line" == "$target CREATE "* ]] || [[ "$line" == "$target MODIFY "* ]]
  then
    filename=${line#"$target CREATE "}
    filename=${filename#"$target MODIFY "}
    cp --verbose "$filename" backup/
  fi
done

use watch command, its easy to use and a native Linux command (installed on almost every linux distro)

watch -n <interval> <command> <path>

e.g.

this will show /tmp/test directory changes for every 200 milliseconds

watch -n 0.2 ls -la /tmp/test

for recursive usage you can use watch like below

 watch -n 0.2 find <path>

I use this to get a quick overview in the current directory:

watch 'find . -printf "%T@ %Tc %p\n" | sort -nr | head '