Skip to content

Latest commit

 

History

History
76 lines (59 loc) · 4.83 KB

README.md

File metadata and controls

76 lines (59 loc) · 4.83 KB

fslogger-yaml

Patched version of fslogger to output data in YAML format. Current versions of fslogger output data in ASCII format which makes review and reporting easy but parsing difficult. YAML formatting means that other parsers can be developed to extract specific information and output in other formats. Hopefully this makes analysis easier.

Compile fslogger-yaml

Compiling requires Apple's OpenSource XNU. Clone this into the fslogger-yaml working directory and provide GCC with the BSD libraries location.

cutaway> gcc -I./xnu/bsd -Wall -o fslogger-yaml udp_client.c fslogger-yaml.c

Usage

Data is output to STDOUT.

cutaway> sudo ./fslogger-yaml

Data is redirected to file "test-output.yaml".

cutaway> sudo ./fslogger-yaml >test-output.yaml

Data is output to the file "test-output.yaml".

cutaway> sudo ./fslogger-yaml test-output.yaml

Data is output to the a remote system using UDP.

cutaway> sudo ./fslogger-yaml -u -h 192.168.1.5 -p 12345

Parsing with fslogger-yaml-python

Python parser provides methods to output lists of processes, files manipulated by those processes, and the types of actions performed on the files. This script provides modular functionality for use in other programs and to be easily updated with additional functionality.

cutaway:> python fslogger-yaml-parser.py
fslogger-yaml-parser.py:  This script will take YAML output of fslogger data
                          and parse it for various information. Multiple options
                          can be selected.

-f <file>:       Input file (required)
-p:              Print process identifier numbers and a list of corresponding process names.
-n:              Print process identifier and then list the files associated with each process name.
-t:              Print action types and then list the files associated with each action.
-h:              Print help.

Avoiding Recursive File Event Logging

Writing to a file on the system that you are monitoring changes can lead to concerns about creating and logging file system activity. Not writing these changes can be done programmatically but this could lead to processing delays that may have a negative impact on performance. Performance issues could lead to dropped events and force Spotlight or Time Machine, which have priority over FSEvents, to perform additional actions and delay processing further.

One alternative is to leverage fslogger-yaml's UDP output functionality. Additionally, it is also possible to write the output of fslogger-yaml to a separate, appropriately prepared volume. This is outlined in the FSEvent documentation.

Preventing File System Event Storage

In some cases, the contents of a volume are sufficiently secret that it is not appropriate to log them. To disable logging on a per-volume basis (for creating a backup volume, for example), you must do the following:

Create a .fseventsd directory at the top level of the volume.
Create an empty no_log file in that directory.
So if your volume is mounted at /Volumes/MyDisk, you would create an empty file called /Volumes/MyDisk/.fseventsd/no_log.

TODO

  • Add ruby parser <- John H. Sawyer?

Other OSX File Activity Monitoring Methods

  • fslogger - an update of the original fslogger
    • Requires OpenSource XNU to compile. No need to build, just run the compilation line in the build instructions.
  • fswatch - a similar project that might meet your needs.
    • FSW was created to replace fswatch but then they merged and fswatch became primary, again.
  • fs_usage - a tool that outputs detailed information about file modifications, network connections, and other important OS activity (yes, I should be looking at this).