1filegone(8)                 System Manager's Manual                filegone(8)
2
3
4

NAME

6       filegone  -  Trace  why  file  gone  (deleted  or  renamed). Uses Linux
7       eBPF/bcc.
8

SYNOPSIS

10       filegone [-h] [-p PID]
11

DESCRIPTION

13       This traces  why  file  gone/vanished,  providing  information  on  who
14       deleted or renamed the file.
15
16       This  works  by tracing the kernel vfs_unlink() , vfs_rmdir() , vfs_re‐
17       name functions.
18
19       Since this uses BPF, only the root user can use this tool.
20

REQUIREMENTS

22       CONFIG_BPF and bcc.
23

OPTIONS

25       -h     Print usage message.
26
27       -p PID Trace this process ID only (filtered in-kernel).
28

EXAMPLES

30       Trace all file gone events
31              # filegone
32
33       Trace file gone events caused by PID 181:
34              # filegone -p 181
35

FIELDS

37       TIME   Time of the event.
38
39       PID    Process ID that renamed/deleted the file.
40
41       COMM   Process name for the PID.
42
43       ACTION action on file: 'DELETE' or 'RENAME'
44
45       FILE   Filename.
46

OVERHEAD

48       This traces the kernel VFS file rename and delete functions and  prints
49       output  for each event. As the rate of this is generally expected to be
50       low (< 1000/s), the overhead is also expected to be  negligible.   This
51       is from bcc.
52
53              https://github.com/iovisor/bcc
54
55       Also  look  in  the bcc distribution for a companion _examples.txt file
56       containing example usage, output, and commentary for this tool.
57

OS

59       Linux
60

STABILITY

62       Unstable - in development.
63

AUTHOR

65       Curu Wong
66

SEE ALSO

68       filelife(8)
69
70
71
72USER COMMANDS                     2022-11-18                       filegone(8)
Impressum