A File System Change Logger for Leopard

Tuesday, March 11, 2008 at 12:07 PM

When you use Mac OS X, you frequently access files and folders. But you might not realize how often you are creating and modifying files and folders. Developers, power users, and even curious regular users have long been interested in observing and understanding file system changes. This desire might be for security reasons, analyzing software, troubleshooting, or just out of plain old curiosity. In any case, being able to see how files are changing on your machine in real time is a powerful capability.

About three years ago, Apple released Mac OS X Tiger. One major feature of Tiger was the Spotlight search technology, and one of Spotlight's lowest-level building blocks is a kernel-level file system event notification mechanism called fsevents. Spotlight relies upon this mechanism to know about file system changes in real time. Soon after Tiger's release, I released fslogger, a program that subscribes to the fsevents mechanism and displays file system change notifications as they arrive from the kernel. fslogger went on to be quite a popular tool in some circles.

In Mac OS X Leopard, the fsevents mechanism is used for more than just Spotlight. Apple even added the FSEvents API as a way for your applications to ask for notification when contents of a directory hierarchy are modified. (Being directory-level, FSEvents API notifications aren't as granular as directly using fsevents, like fslogger does, but then direct use of fsevents isn't without caveats either.) All said, it can indeed be greatly useful during experimentation to be able to retrieve complete, unfiltered fsevents data from the kernel.

Here's an excerpt from fslogger's output.

$ sudo ./fslogger
=> received 90 bytes
# Event
pid = 13 (syslogd)
# Details
# type len data
FSE_ARG_STRING 24 string = /private/var/log/asl.db
FSE_ARG_DEV 4 dev = 0xe000002 (major 14, minor 2)
FSE_ARG_INO 4 ino = 4277280
FSE_ARG_MODE 4 mode = -rw------- (0x008180, vnode type VREG)
FSE_ARG_UID 4 uid = 0 (root)
FSE_ARG_GID 4 gid = 0 (wheel)
FSE_ARG_INT64 8 tstamp = 25511051709692
FSE_ARG_DONE (0xb33f)

I had to make some changes to fslogger to make it compatible with Leopard. Here's the new version that works with Leopard. Source code is also available.