Path: csiph.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: John-Paul Stewart <jpstewart@personalprojects.net>
Newsgroups: comp.os.linux.misc
Subject: Re: Noting EVERY File Write/Change/Delete in (near) Real Time ???
Date: Mon, 12 Sep 2022 19:48:34 -0400
Lines: 18
Message-ID: <jo9ur7FqqefU1@mid.individual.net>
References: <QA-dna7ohPr3Nof-nZ2dnZfqn_th4p2d@earthlink.com> <tfgu2e$80b$2@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net BFCl+ue742jNzdZ7vE6CngzgwiYmndYy/bodWCp4FGawkQNlsm
Cancel-Lock: sha1:oa2Of9a0IN6UpEo5wmth93KY7sM=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.1
Content-Language: en-CA
In-Reply-To: <tfgu2e$80b$2@tncsrv09.home.tnetconsulting.net>
Xref: csiph.com comp.os.linux.misc:35629

On 2022-09-10 01:48, Grant Taylor wrote:
> On 9/8/22 8:55 PM, 25B.Z969 wrote:
>> Any ideas ?
> 
> You might try researching some of the system accounting and / or system
> auditing functions.  One or both of them might have something that can
> trigger when a write happens.

In addition to those suggestions, I can't help but get the feeling that
what the OP is looking for is a lot like the filesystem journal concept.
 It might be worth trying to read and/or preserve the journal with
debugfs (see its logdump command).  There's also the jls command from
the sleuthkit package for examining the journal.

Or there's the option of custom code in the kernel to preserve
filesystem journal entries directly, if all else fails.