iWatch v0.2.2 - realtime filesystem monitoring program

iWatch is a realtime filesystem monitoring program. Its purpose is to monitor any changes in a specific directory or file and send email notification immediately after the change.

This can be very useful to watch a sensible file or directory against any changes, like files /etc/passwd, /etc/shadow or directory /bin or to monitor the root directory of a website against any unwanted changes.

JPEG - 5.5 kb


  • run in command line mode as well as in daemon mode
  • using an easy xml configuration file
  • can watch directory recursively and watch new created directory
  • can have a list of exceptions
  • can use regex to compare the file/directory name
  • can execute command if an event occures
  • send email
  • syslog
  • print time stamp

This application is written in Perl and need inotify support in Linux kernel >= 2.6.13. And it needs also following third party perl modules: Linux::Inotify2, Event, Mail::Sendmail and XML::Simple. You can have all this modules from cpan as usual.

iWatch can be executed in two modes:

  • Daemon mode: You can use an xml configuration file, and put a list of directories and files (targets) to monitor.
  • Command line mode: You can run it without a configuration file, you just need to put the necessary information (target to watch, email, exception, recursivity, events to monitor and command to execute) in the command line.

Note: The options for both modes can’t be mixed together.

In the xml configuration file, each target can have its own email contact point. This contact point will get an email notification for any changes in the monitored targets. You can monitor a directory recursively, and you can also setup a list of exceptions where you don’t want to monitor directory/file inside a monitored directory. It is also possible to disable email notification, and instead setup a command to be executed if an event occurs.

Per default iWatch only monitor following events: close_write, create, delete, move, delete_self and move_self. But you can specify any possible events, like access, attrib, modify all_events and default.

Version 0.2.2

  • Fix the bug where the file being watched contains one of the formats available for substitution
  • Watch the renamed/moved directory properly
  • Fix unnecessary watching of create event
  • Add a functionality to reload the configuration file using the SIGHUP signal
  • Add a functionality to specify the charse

Read more about this project: here

Post scriptum

Compliance Mandates

  • Forensics :

    PCI DSS 10.2, 12.9, A.1.4*, SOX DS7, HIPAA 164.308(a)(1) and (a)(6), FISMA IR-7, ISO 27001/27002 13.2.1, 13.2.3
    *Shared Hosting Providers Only


Related Articles

Local auditing