How to monitor file changes with fswatch

Jack Wallen shows you how to install and use the directory monitor tool, fswatch.

How to monitor file changes with fswatch

With each passing day, it seems we are more and more likely to suffer from data theft. To that end, we do everything in our powers to prevent such an event. We pay exorbitant prices for a secure network pipe, spend long hours constantly configuring and updating our servers, and so much more. And yet, our data is still vulnerable.

That's why most admins go out of their way to monitor that precious cargo. Any tool you can find to monitor files and directories is a must-have. One such tool is fswatch. The fswatch application is a free, open-source cross-platform monitor that checks for changes in files and sends notifications (to standard output) when the contents of those watched files are altered.

SEE: Information security policy template download (Tech Pro Research)

Fswatch is somewhat basic in its functionality, but that also helps make it useful and easy for admins to monitor crucial directories that hold configurations for server systems or user data. When something changes in those directories, fswatch lets you know. Fswatch is available for Linux, macOS, Solaris, and Windows.

I'm going to walk you through the process of installing and running fswatch on the Ubuntu Server 18.04 platform.

What you need

The only things you need are a running instance of Ubuntu Server 18.04, a user with sudo privileges, a directory to watch, and (optional) a bit of creativity. If your platform of choice is not Linux, you need to modify the installation instructions to suit your needs.


The first thing to do is install fswatch. Fortunately, fswatch can be found in the standard Ubuntu repository, so the installation is just a matter of running the command:

sudo apt-get install fswatch -y

Once that installation finishes, you're ready to start using fswatch.


Using fswatch is quite simple. Secure shell into the same server from two different terminal windows. In the first terminal create a test directory with the command mkdir TEST and then issue the command fswatch TEST. From the second terminal window, change into the TEST directory (with the command cd TEST) and then issue the command touch testing. Back in the first terminal, fswatch will print out a notification for the newly created file (Figure A).

Figure A

Figure A: Our newly created directory, reported by fswatch.

Back in the second terminal, open testing for editing with the command nano testing. Add some text to that file and then save/close it. fswatch will immediately report that testing has been opened for editing by appending an .swp at the end (Figure B).

Figure B

Figure B: Something is amiss with our testing file.

To cancel the fswatch command, type the [Ctrl]+[c] key combination, and you'll be given back your prompt.

If you don't want to see those reports in real time, you can set a latency, which will cause fwatch to poll the directory for changes every X seconds. Say you want to only poll the directory every 10 seconds, that command would be:

fswatch -l 10 TEST

You can also have fswatch print a timestamp for an event with the command:

fswatch --timestamp TEST

The above command will print out a timestamp along with every event (Figure C).

Figure C

Figure C: The timestamp helps to make it clear when an even occurred.

If you don't want to watch the terminal window for events, you can always output the information it prints to a file, like so:

fswatch --timestamp TEST > fswatch_output

If you want your command prompt returned to you, append the & character like so:

fswatch --timestamp TEST > fswatch_output &

You will be given a PID number (Figure D) for the running fswatch command. You'll need that number to kill the command (otherwise it will continue running in the background, collecting data in fswatch_output).

Figure D

Figure D: Our fswatch process ID number.

To kill fswatch, issue the command:

kill PID

Where PID is the number reported after running the fswatch command.

And that's how you can easily monitor a directory for changes with fswatch.

Get creative

Because we're working with Linux, you can use fswatch to get as creative as needed. Use fswatch in batch scripts, regular expressions, pipes, and more. But no matter how you use fswatch, it can keep you apprised on when something is amiss in your directories.

Also see

Image: Jack Wallen