Using Inotify for internal audit logs in windows and Linux

Using Inotify for internal audit logs in windows and Linux

Inotify

Contents:
Introduction
Limitations of Inotify
Getting started with Inotify on Linux

In the realm of monitoring cloud or on-premises applications and DevOps scripts, we frequently want functionalities such as receiving alerts of file creation, deletion, or modification throughout the file system with time stamps, permissions, and location. This feature is provided by the Linux kernel’s built-in function.

Inotify is a feature built-in to the Linux kernel, which also has analogs in most other operating systems: In Windows, filesystem changes are exposed via the Win32 Directory Change Notifications API or the .NET FileSystemWatcher() API. Such mechanisms allow tools to be aware of changes made to directories and/or files they’re interested in.

If both Linux and Windows support filesystem change alerts, wouldn’t it be great if they could be connected so that, for example, if a file is modified in Windows, Bash and any other file-change-aware Windows apps could get update notifications and display the revised content?

There is also a similar feature as notify, called Dnotify!

The drawback of Dnotify is the level of granularity since programmers can only monitor changes at the directory level. To access detailed information about the environmental changes that occur when a notification message is sent, a stat structure must be used; this is considered a necessary evil in that a cache of stat structures has to be maintained, for every new stat structure generated a comparison is run against the cached one.

👉 Limitations of Inotify:-

  • Inotify does not support recursively watching folders, thus each subfolder must have its own Inotify watch.
  • Rename events are not directly handled by inotify since it generates two distinct events that must be examined in the context of potential race conditions.
  • Inotify does report some but not all events in sysfs and procfs.

👉 Let’s get started with Inotify on Linux. Follow the below steps:

  1. Run the following command:

syntax: inotifywait -m -r -e delete, modify, create Path of Directory >> File to Store

eg: inotifywait -m -r -e delete, modify, create /home/ubuntu/heet > deleted_files.log

output

2. Now getting started with notify on windows:-

The first step is to download the Cygwin package. You can use the following link. After setting up the installation of the Cygwin package make sure to select the “make” package.

[Cygwin
Run setup-x86_64.exe any time you want to update or install a Cygwin package for 64-bit windows. The signature for…cygwin.com](https://www.cygwin.com/install.html "cygwin.com/install.html")

To download the exe files for windows, use the link given below :

[GitHub - thekid/inotify-win: A port of the inotify-wait tool for Windows
For a port of the inotifywait tool for Windows, see github.com/rvoicilas/inotify-tools If you have Cygwin…github.com](https://github.com/thekid/inotify-win "github.com/thekid/inotify-win")

After getting the exe files, now run the following command in the exe files.

\inotifywait.exe — monitor — timefmt ‘%F %T’ — format ‘%T %w%f %e’ -e create, delete, modify, move -mrq C:\Files >> file.log

you will get a similar output.

I hope this article was informative and provided you with the details you required. If you have any questions while reading the blog, message me on Instagram or LinkedIn.

Thank You…