Does Linux keep a changed file log?
 

I need to know which files in multiple folders have been changed within a specified time period. I only know how to access Linux via putty, so please be specific if you can help.

Thank you in advance-
~c:newbie:

Hi, and welcome to LQ!
The quick answer is no.

The ellaborate answer is: you can make it do that. But
it can become a rather costly operation on a busy machine.

If you don't need a log you can easily use find to check
for times modification times.

e.g. find -mtime -5 -mtime +2
will list anything that was modified in between 5
and 2 days ago.




Cheers,
Tink

Thank you! The files I am looking for (testing purposes) are not showing, but I am getting a good list (which is all that is needed for my usual purpose).
My new question is: How do I get just the last day? I changed the comment to find -mtime -5 -mtime +0 but it still is not showing my test file. Is it possible to get recent results?

-mtime -1 by itself should do the trick. You need to bear in mind that it
will always compare against the current timestamp, and go back 24 hours.
If that's not the granularity you're after have a look into mmin instead,
which will look at the passed minutes.

What file-system is that machine using?



Cheers,
Tink

Thank you very much! One more question: Does this show only those files modified or does it also show files added or removed (or one or the other)?
I'm guessing only those modified...

Creating a new file is a modification (if you think about it - it can't have a
modify time-stamp that's older than the file's creation time). So a file
newly created should show up as well.



Cheers,
Tink

Awesome! Thanks so much for your help!!! I'm also assuming from your last comment about time stamps that files deleted would not be included because there is no time stamp.

I really appreciate you "dumbing it down".

You're most welcome. And you're right - a deleted file doesn't have any allocated
inodes, and hence doesn't have time-stamps. In other words: with plain OS means
you can't find out whether a file has been deleted.

For that kind of thing you could use programs like AIDE or tripwire, which watch
for changes based on a schedule (e.g. every 30 minutes). You could use samhain
which allows for real-time monitoring (I think it does - been a while that I last
looked into it because it was quite heavy on CPU) or build your own based on e.g.
the dazuko library.

If that's more than you asked for, and you're not really after intrusion detection,
you could use a simple cron-job to take a directory listing every minute, compare
it against the previous run and notify you of changes. The greatest short-coming
of this would be the 1-minute granularity. In other words if something got created
and deleted within the 1-minute time-frame you'd never know about it.



Cheers,
Tink

If you want real-time, I believe this is what you need: http://www-128.ibm.com/developerwork...l-inotify.html