How to Monitor Filesystem Events with Incron in Linux

This post will guide you how to monitor a filesystem or a specified files in your Linux Operating systems. How do I monitor individual files or directories and executes commands or shell scripts with incron in Linux.

incron will use inotify to monitor various events on files in your filesystems. The inotify API provides a mechanism for monitoring filesystem events. Inotify can be used to monitor individual files, or to monitor directories. When a directory is monitored, inotify will return events for the directory itself, and for files inside the directory.

Install incron

Incron tool is not installed in your Linux system by default, so you need to install it using the following commands:

For CentOS or RHEL Linux:

$ sudo yum install incron

Outputs:

[root@devops ~]# yum install incron
Loaded plugins: fastestmirror
Determining fastest mirrors
* remi-php55: mirrors.tuna.tsinghua.edu.cn
* remi-php56: mirrors.tuna.tsinghua.edu.cn
* remi-php73: mirrors.tuna.tsinghua.edu.cn
* remi-safe: mirrors.tuna.tsinghua.edu.cn
base | 3.6 kB 00:00:00
epel | 5.3 kB 00:00:00
extras | 3.4 kB 00:00:00
remi-php55 | 3.0 kB 00:00:00
remi-php56 | 3.0 kB 00:00:00
remi-php73 | 3.0 kB 00:00:00
remi-safe | 3.0 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/6): epel/x86_64/updateinfo | 1.0 MB 00:00:00
(2/6): epel/x86_64/primary_db | 6.8 MB 00:00:00
(3/6): remi-php56/primary_db | 244 kB 00:00:00
(4/6): remi-php55/primary_db | 236 kB 00:00:00
(5/6): remi-safe/primary_db | 1.6 MB 00:00:00
(6/6): remi-php73/primary_db | 202 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package incron.x86_64 0:0.5.12-11.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===========================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================
Installing:
incron x86_64 0.5.12-11.el7 epel 96 k

Transaction Summary
===========================================================================================================================
Install 1 Package

Total download size: 96 k
Installed size: 266 k
Is this ok [y/d/N]: y


Downloading packages:
incron-0.5.12-11.el7.x86_64.rpm | 96 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : incron-0.5.12-11.el7.x86_64 1/1
Verifying : incron-0.5.12-11.el7.x86_64 1/1

Installed:
incron.x86_64 0:0.5.12-11.el7

Complete!

For Ubuntu or Debian Linux:

$ sudo apt install incron

Outputs:

devops@devops:~$ sudo apt install incron
[sudo] password for devops:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
incron
0 upgraded, 1 newly installed, 0 to remove and 143 not upgraded.
Need to get 67.5 kB of archives.
After this operation, 261 kB of additional disk space will be used.
Get:1 http://mirrors.aliyun.com/ubuntu bionic/universe amd64 incron amd64 0.5.10-3build1 [67.5 kB]
Fetched 67.5 kB in 0s (243 kB/s)
Selecting previously unselected package incron.
(Reading database ... 186163 files and directories currently installed.)
Preparing to unpack .../incron_0.5.10-3build1_amd64.deb ...
Unpacking incron (0.5.10-3build1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Setting up incron (0.5.10-3build1) ...
Adding group `incron' (GID 134) ...
Done.
Created symlink /etc/systemd/system/multi-user.target.wants/incron.service → /lib/systemd/system/incron.service.
Processing triggers for systemd (237-3ubuntu10.28) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for ureadahead (0.100.0-21) ...
devops@devops:~$

Once incron is installed on your system, and you need to start incron daemon and also need to set it to start on reboot, type the following commands:

$ sudo systemctl start incron
$ sudo systemctl enable incron

You can verify the status of incron daemon by running the following command:

$ systemctl status incron

Outputs:

devops@devops:~$ systemctl status incron
 incron.service - file system events scheduler
Loaded: loaded (/lib/systemd/system/incron.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2019-09-11 07:40:32 EDT; 2min 6s ago
Main PID: 6126 (incrond)
Tasks: 1 (limit: 1123)
CGroup: /system.slice/incron.service
└─6126 /usr/sbin/incrond

Sep 11 07:40:32 devops systemd[1]: Starting file system events scheduler...
Sep 11 07:40:32 devops incrond[6125]: starting service (version 0.5.10, built on Apr 3 2018 12:29:01)
Sep 11 07:40:32 devops systemd[1]: incron.service: Can't open PID file /run/incrond.pid (yet?) after start: No such file or
Sep 11 07:40:32 devops incrond[6126]: loading system tables
Sep 11 07:40:32 devops incrond[6126]: loading user tables
Sep 11 07:40:32 devops incrond[6126]: ready to process filesystem events
Sep 11 07:40:32 devops systemd[1]: Started file system events scheduler.

incron Syntax

The incron Syntax is as followss:

<path>   <mask>  <command>

Note:
<path> is a file path or filesystem path
<mask> inotify events
<command> is an shell command or shell scripts that you want to run on the events.

You can use the following inotify events:

• IN_ACCESS File was accessed (read) (*).
• IN_ATTRIB Metadata changed, e.g., permissions, timestamps, extended attributes, link count (since Linux 2.6.25), UID, GID, etc. (*).
• IN_CLOSE_WRITE File opened for writing was closed (*).
• IN_CLOSE_NOWRITE File not opened for writing was closed (*).
• IN_CREATE File/directory created in watched directory (*).
• IN_DELETE File/directory deleted from watched directory (*).
• IN_DELETE_SELF Watched file/directory was itself deleted.
• IN_MODIFY File was modified (*).
• IN_MOVE_SELF Watched file/directory was itself moved.
• IN_MOVED_FROM File moved out of watched directory (*).
• IN_MOVED_TO File moved into watched directory (*).
• IN_OPEN File was opened (*).

For example, if you want to monitor a file or directory called /etc/httpd/httpd.conf, and when file is changed, let inofify send a mail event to you.
you need to run the following command to edit your incrontab file, type:

$ incrontab -e

then you need to add the following line in it:

/etc/httpd/httpd.conf IN_MODIFY mailx -s "httpd.conf has been modified" mytest@gmail.command