Hi,

I have a Linux CentOS server.
Is there a way to store all changes made to the hard drive by all software on the server ?

Regards,
vzxen

Any particular reason why you would want this? Details please: be as verbose as possible.

Yes, because I want to keep a track of all files and directories being modified from time to time.

What is the specific purpose of "keeping track" as you define it? Should it cover the whole file system or just one application or just some users? Can't you use a file system integrity checker like Aide or Samhain? If it must be real time: why? Ever used inotify, Auditd or FUSE LoggedFS?

It could be that you could setup a mirrored ramdisk and do it that way?

I want to monitor the entire filesystem.
Who handles the data being written to the HDD in Linux ?
Does it go through the Linux Kernel ?
Is there an equivalent to Microsoft Volume Shadow Copy Service for Windows ?

Please help me with this. I have been banging my head for two days for a possible solution.

Have a look at lsof.

Might look at zfs. http://wiki.github.com/behlendorf/zfs/example-zvol

I was reading R1Soft does something in similar fashion.
How does it do it ?
lsof - is only currently opened files.
zfs - is for taking snapshots

Basically I want to keep track of changes to all files on the system.

How would you 'keep track of' data being written? By writing to some data file(s)? Then you would have to 'keep track of' that data, and then that would result in more data to keep track of, and so on. And how would you monitor the data? Would you have a reader for all types of data files? Would you or anyone actually inspect that data?
Okay, I'm being cynical. But really, your requirements need to be refined a bit more. What is the objective of keeping track of data being written/modified? Are you concerned about the quantity being stored? The content? The origin? Some per-user or per-group concerns?
You could keep disk usage statistics fairly easily using some basic scripting that runs periodically.
--- rod.

Yes, I know that. You've been repeating that endlessly.

"monitoring the entire filesystem" can be done for many reasons: it can be a hard audit requirement, it can aid troubleshooting or it can be used to say watch application or human user behaviour. (It also is invasive, a performance drain and likely in conflict with Privacy laws.) What I need to know is what you need it for exactly. If you can answer that simple question in detail and without repeating yourself then I'm sure leads or solutions can be offered that suit your case best.

Hi,

I have two reasons:
1) Create a Backup System (I was thinking of doing something similar to R1SOFTs near CDP though its advertised as CDP. I want to learn that and do it for my college)
2) Monitor which user is editing which file. There are many users who access files especially in a college. Hence I want to be able to monitor it as well.

I have read that I can try to do it by making a modified kernel. Or does r1soft do it in another way ?

You can use rsync to make periodic backups that only backup modified files. The utilities 'ps', 'lsof' and 'w' could probably be combined to create some kind of pseudo-realtime monitoring tool for users file activities. You could call it 'BigBrother'.
--- rod.

How does R1Soft do it ?
Are they using a modified kernel ?

Also how can 'ps' be used ?
It shows the current processes right ?

(BTW: I accidentally hit the "Report" button for the above post. Sorry for that!)