simlun/command.sh

## command.sh
sudo sysctl fs.inotify.max_user_watches=524288
sudo inotifywait -r -m --format "%e;%w%f" /bin /boot /etc /home /lib /lib64 /opt /root /sbin /srv /tmp /usr /var | ./dirstats.py

## dirstats.py
#!/usr/bin/env python2.7
import fileinput

from collections import defaultdict


counter = defaultdict(lambda: defaultdict(int))


def print_counter():
    print "-" * 80
    for event, counts in counter.items():
        for directory, count in counts.items():
            print event, '/' + directory, count
    print "-" * 80
    for event, counts in counter.items():
        print event, reduce(lambda a, b: a + b, counts.values())
    print "-" * 80


import atexit
atexit.register(print_counter)


for line in fileinput.input():
    line = line.strip()
    print line
    event, path = line.split(";")
    first_dir = path.split('/', 2)[1]
    counter[event][first_dir] += 1

## example_output.txt
--------------------------------------------------------------------------------
OPEN /bin 14
OPEN /lib 128
OPEN /etc 124
OPEN /usr 145
OPEN /var 3
OPEN /home 35
CREATE /home 1
CLOSE_NOWRITE,CLOSE,ISDIR /bin 4
CLOSE_NOWRITE,CLOSE,ISDIR /etc 2
CLOSE_NOWRITE,CLOSE,ISDIR /usr 192
CLOSE_NOWRITE,CLOSE,ISDIR /home 32
MODIFY /var 4
ACCESS /bin 28
ACCESS /lib 147
ACCESS /etc 145
ACCESS /usr 131
ACCESS /var 1
ACCESS /home 59
CLOSE_WRITE,CLOSE /var 2
OPEN,ISDIR /bin 4
OPEN,ISDIR /etc 2
OPEN,ISDIR /usr 192
OPEN,ISDIR /home 32
ACCESS,ISDIR /bin 8
ACCESS,ISDIR /etc 4
ACCESS,ISDIR /usr 384
ACCESS,ISDIR /home 64
CLOSE_NOWRITE,CLOSE /bin 13
CLOSE_NOWRITE,CLOSE /lib 74
CLOSE_NOWRITE,CLOSE /etc 124
CLOSE_NOWRITE,CLOSE /usr 58
CLOSE_NOWRITE,CLOSE /var 1
CLOSE_NOWRITE,CLOSE /home 34
DELETE /home 1
--------------------------------------------------------------------------------
OPEN 449
CREATE 1
CLOSE_NOWRITE,CLOSE,ISDIR 230
MODIFY 4
ACCESS 511
CLOSE_WRITE,CLOSE 2
OPEN,ISDIR 230
ACCESS,ISDIR 460
CLOSE_NOWRITE,CLOSE 304
DELETE 1
--------------------------------------------------------------------------------
	sudo sysctl fs.inotify.max_user_watches=524288
	sudo inotifywait -r -m --format "%e;%w%f" /bin /boot /etc /home /lib /lib64 /opt /root /sbin /srv /tmp /usr /var \| ./dirstats.py
	#!/usr/bin/env python2.7
	import fileinput

	from collections import defaultdict


	counter = defaultdict(lambda: defaultdict(int))


	def print_counter():
	print "-" * 80
	for event, counts in counter.items():
	for directory, count in counts.items():
	print event, '/' + directory, count
	print "-" * 80
	for event, counts in counter.items():
	print event, reduce(lambda a, b: a + b, counts.values())
	print "-" * 80


	import atexit
	atexit.register(print_counter)


	for line in fileinput.input():
	line = line.strip()
	print line
	event, path = line.split(";")
	first_dir = path.split('/', 2)[1]
	counter[event][first_dir] += 1
	--------------------------------------------------------------------------------
	OPEN /bin 14
	OPEN /lib 128
	OPEN /etc 124
	OPEN /usr 145
	OPEN /var 3
	OPEN /home 35
	CREATE /home 1
	CLOSE_NOWRITE,CLOSE,ISDIR /bin 4
	CLOSE_NOWRITE,CLOSE,ISDIR /etc 2
	CLOSE_NOWRITE,CLOSE,ISDIR /usr 192
	CLOSE_NOWRITE,CLOSE,ISDIR /home 32
	MODIFY /var 4
	ACCESS /bin 28
	ACCESS /lib 147
	ACCESS /etc 145
	ACCESS /usr 131
	ACCESS /var 1
	ACCESS /home 59
	CLOSE_WRITE,CLOSE /var 2
	OPEN,ISDIR /bin 4
	OPEN,ISDIR /etc 2
	OPEN,ISDIR /usr 192
	OPEN,ISDIR /home 32
	ACCESS,ISDIR /bin 8
	ACCESS,ISDIR /etc 4
	ACCESS,ISDIR /usr 384
	ACCESS,ISDIR /home 64
	CLOSE_NOWRITE,CLOSE /bin 13
	CLOSE_NOWRITE,CLOSE /lib 74
	CLOSE_NOWRITE,CLOSE /etc 124
	CLOSE_NOWRITE,CLOSE /usr 58
	CLOSE_NOWRITE,CLOSE /var 1
	CLOSE_NOWRITE,CLOSE /home 34
	DELETE /home 1
	--------------------------------------------------------------------------------
	OPEN 449
	CREATE 1
	CLOSE_NOWRITE,CLOSE,ISDIR 230
	MODIFY 4
	ACCESS 511
	CLOSE_WRITE,CLOSE 2
	OPEN,ISDIR 230
	ACCESS,ISDIR 460
	CLOSE_NOWRITE,CLOSE 304
	DELETE 1
	--------------------------------------------------------------------------------