278 words
1 minute
File Monitoring using eBPF
Anubhav Gain
2023-12-01
eBPF
ebpf
/
rust

Linux based File Monitoring using eBPF#

Keep an eagle-eye on your files with ebpf-file-monitor, a slick Rust program powered by cutting-edge eBPF technology. This utility alerts you instantly whenever changes occur in your files, ensuring you’re always in the loop.

Features#

  • eBPF Technology: Utilizes the latest eBPF advancements to trace file events efficiently.
  • Instant Alerts: Prints out a timestamp the moment your file is modified, ensuring real-time awareness.
  • Cross-Platform Compatibility: Works seamlessly across Linux, Windows, and MacOS environments.

Prerequisites#

Ensure you have the following prerequisites installed:

  • Rust 1.56+ (get the latest version)
  • Cargo (Rust’s package manager)
  • libbpf and bcc libraries (eBPF’s dynamic duo)

Installation#

Terminal window
# Clone the repository
git clone https://github.com/mranv/ebpf-file-monitor.git


# Navigate to the directory
cd ebpf-file-monitor


# Install bcc and libbpf if needed
# For Fedora/RedHat:
sudo yum install bcc bpf
# For Debian/Ubuntu:
sudo apt-get install libbpf-dev libbcc-dev


# Build the project
cargo build --release

Usage#

Update the FILE_PATH variable in the source code to the file you want to monitor. Then, unleash the watchdog:

Terminal window
./target/release/ebpf-file-monitor

Now, sit back and relax as it prints timestamps whenever changes occur in the specified file.

Implementation#

  • libbpf: Utilizes libbpf to load eBPF programs that trace open and write syscalls.
  • Event Filtering: Filters for events related to the target file.
  • Real-time Alerts: Prints timestamps upon modification events, ensuring immediate awareness.

Limitations#

  • Single File Monitoring: Watches only one file at a time.
  • Dependency Requirements: Requires eBPF/bcc libraries to be installed.

Contributions#

Got ideas to enhance this utility? Contributions are welcome! Feel free to share your thoughts and suggestions to make this watchdog even better.

About#

This utility is designed to track changes in specified files and provide instant timestamps upon modifications.

Repository: github.com/mranv/ebpf-file-monitor

© 2024 GitHub, Inc. All rights reserved.

Disclaimer: This blog post is licensed under the MIT license. Please refer to the repository for the full license details.

File Monitoring using eBPF
https://mranv.pages.dev/posts/file-monitoring-using-ebpf/
Author
Anubhav Gain
Published at
2023-12-01
License
CC BY-NC-SA 4.0
Powerful ChatGPT Desktop Application
Journey into eBPF
© 2025 Anubhav Gain. All Rights Reserved. / RSS / Sitemap
Built with Astro | View Source