Storage Management/Auditing

Dan Nelson dnelson at
Sat Jul 5 10:16:59 PDT 2003

In the last episode (Jul 06), John Stockdale said:
> For lack of a better place to query, and a distinct lack of findings
> in my last few hours of googling, I was hoping someone on the list
> might be able to enlighten me on the subject of storage system
> management and auditing.
> I'm currently admining a low load, high capacity storage array (Raid
> 5, 1.4TB) and am interested in being able to quickly determine
> activity (file addition, deletion, etc), file system usage, and any
> other relevant information regarding the array. I have already
> covered the hardware status (via 3ware monitoring tools) but have no
> way beyond df / du of checking usage and changes (which is tedious
> and shrinks in practicality as the file system grows).

If you're really desperate to not do a full filesystem sweep, how about
getting your file list from your weekly/nightly backup run?  You do do
backups, right? :)  Or you could expand out the file list generated
weekly by locate.updatedb.  To get all of what you need, you'll
probably have to do your own sweep though.  It shouldn't go that slow,
and you can always run it at night.
> I was thinking that I could possibly use AIDE to track the changes,
> but then again the current port is broken (sending email to
> maintainer concurrently) so I thought I'd look for a better solution.

You could always run "find / -ls" every night, and then use diff to get
a list of changed files between any two days you have logs for.  The
username column will also let you do per-user tracking.  Enabling
quotas and running repquota gives you a per-user summary quicker, but
doesn't get any more specific.

	Dan Nelson
	dnelson at

More information about the freebsd-current mailing list