Hi,
I'm trying to use incron to invoke a program whenever some files change.
e.g.
/var/log/snort/snort.last IN_CLOSE_WRITE /some/program /var/log/snort/snort.last
/var/log/snort/snort.last is created by a conventional cron job, which does
a cp of /var/log/snort/alert to /var/log/snort/snort.last on a 5 minute
interval.
This rule only seems to execute once after restarting incron, and never
again (despite the copies running every 5 minutes).
I started trying to debug what was going on, by using inotify_test from
inotify-utils-0.25. According to it, it's seeing:
MODIFY (file) 0x00000002
FILENAME=snort.last
OPEN (file) 0x00000020
FILENAME=snort.last
MODIFY (file) 0x00000002
FILENAME=snort.last
CLOSE (file) 0x00000008
FILENAME=snort.last
So basically no IN_CLOSE_WRITE, which is not what I'd expect to see for a
file copy. I even tried adding --remove-destination, but I still don't get
an IN_CLOSE_WRITE.
I tried seeing what iwatch saw, and it sees:
[10/Dec/2010 18:24:03] IN_MODIFY /var/log/snort/snort.last
[10/Dec/2010 18:24:03] IN_OPEN /var/log/snort/snort.last
[10/Dec/2010 18:24:03] IN_MODIFY /var/log/snort/snort.last
[10/Dec/2010 18:24:03] IN_CLOSE_WRITE /var/log/snort/snort.last
[10/Dec/2010 18:24:03] * /var/log/snort/snort.last is closed
which is what I was expecting to see. Why this inconsistency?
So I'm assuming that incron is seeing what inotify_test is seeing, and
iwatch is seeing what I'd expect incron to be seeing.
My understanding of IN_CLOSE is that it's like an aggregate of
IN_CLOSE_WRITE and IN_CLOSE_NOWRITE, and so I thought you'd only use this as
a mask for events you wanted to see, and it'd never be emitted itself.
What am I missing here?
regards
Andrew
Received on Tue Jun 05 2012 - 22:14:21 CEST
This archive was generated by hypermail 2.2.0 : Tue Jun 05 2012 - 22:14:21 CEST