File Monitor (filemon) is another one of the freeware utilities I wrote as an example of using FSEvents directly for my book. The original example was really simple, and buggy at times - but nonetheless useful, as it allowed tracking filesystem activity in OS X - and (more importantly) iOS. I've fixed the bugs along the way, and now - with MOXiI's 2nd Edition around the corner - it's time to do a version 2.0 of this one.
File Monitor 2.0 can not just log events, but also respond to them. There are two new actions which may be taken by the tool automatically on a matching event:
stop: Send the process generating the event a SIGSTOP, so you can "freeze" it, and then attach a debugger , etc.
link: auto-create a hard-link to the file being created. This will prevent the file from being deleted (unlinked), because an inode is retained so long as it has at least one link. You are responsible for rming that link.
Note that both actions aren't guaranteed, because there is a latency in FSEvents. Blame XNU, not me. So there are cases where by the time the process has been stopped it may have already snuck a few more operations (or, in some cases, exited). Likewise, there are cases when files are created and removed so fast that the link creation will fail. That said, for most lengthier and non-atomic operations this has been working pretty well
Another important feature is filtering: whereas v1.0 was just grep(1)-able, v2.0 allows you to specify pathname filters (separated by ","), process names or IDs (again, separated by ","), or events (from those supported by FSEvents, of course). This is actually required if you're using the auto-stop (-s) feature, because otherwise you run the risk of filemon firing STOP signals wildly, which might actually stop your own session!
And, of course, color :-) The usual JCOLOR=1, or -c or --color.
No arguments - catch everything (just like original version of tool). Filemon will filter itself
With color (because it's always nicer in color :-)
Auto-link any created file (so it doesn't get removed). This is now automatically done in iOS to /private/var/tmp/filemon, which ensures that A) link survives if entire directory hierarchy is nuked and B) you won't clutter your FS after rebooting.
Auto-stop anyone touching a container:
Jason Haddix - http://community.hpe.com/t5/Protect-Your-Assets/Realtime-iOS-Filesystem-Monitoring-Installing-and-Using-filemon/ba-p/5923145#.V1XlWGZbuqA
Q & A
Is this open source? Yes. The source is in the TAR
When's the book coming out?! A book is coming out mid July. Stay tuned.
And when is the next training on iOS/OSX internals? August 8th, in SFO - See here. And if you go the training you'll get a free copy of the book, too :-)
If you have any features you want to see in this tools (or others), simply tell me through the NewOSXBook Forum.
If you want to modify the source - you can. It's open. Personally I'd rather you tell me, and I'd gladly add the change(s) so others can enjoy it. But at any rate - have the decency to leave the links to the website and comments verbatim, rather than dumping it in Github and claiming you wrote it.