Home > Uncategorized > Finding Changes with Timestamps

Finding Changes with Timestamps

Timestamps are important in terms of diagnostics because they provide you with information about when an event occurred. For example, when a file was last changed. This information alone is invaluable for troubleshooting. The timestamp represents the last time the file was modified. As you look at these examples, you can see they all have different modification dates.
Dates. The file training was modified 2000-07-05 at 19.01 and the file squid.rtf was modified 2008-05-27 at 16:24 so you can see both date and time are available.
-rw-r–r– 1 mike mike 30722 2008-07-05 19:01 training
-rw-r–r– 1 mike mike 997 2008-05-27 16:24 squid.rtf

In these examples you see a directory, notice the “d” at the start of the line. The dates of this same directory are different because a sub-directory was changed in test so the second example reflects that change.
drwxr-xr-x 3 mike mike 4096 2008-08-13 16:47 test
drwxr-xr-x 4 mike mike 4096 2008-08-14 09:21 test

A powerful utility for locating changes is the find command. With the Linux find utility, you can perform powerful searches on just about any criterion you can think of, and then–from the same command-line entry–invoke another utility to do whatever you need to do with the results.
In order to perform the most basic of searches, you’ll need to specify two things:
The search path–You can perform a search in either a specific path, or the entire filesystem. Since find is inherently recursive, the search will automatically extend to all of the subdirectories beneath of the directory that you specify.
What you’re searching for–There are a lot of ways that you can specify this. You can search for files of a specific name, and decide whether to make the search case-sensitive. You can also use wildcards, or search for files with certain characteristics or that are of a certain age. Or, you can combine multiple criteria for even more specific searches. The main thing that limits you is your own imagination.

So now, for example if you want to search the entire filesystem for all files whose names end in “.conf”. You’ll want to use either the “-name” or the “-iname” switch in front of the file description that you want to search for. Otherwise, you’ll get a jumbled up mess of every directory listing that you’ve searched, with the information you’re looking for mixed in. For case-sensitive searches, use “-name”; for case-insensitive searches, use “-iname”. In this case, use “-iname”, since you want to make the search case-insensitive. If you include a wildcard character in with a search criterion, you’ll need to enclose that search criterion in quotes. That will keep the shell from interpreting the wildcard character as an ambiguous file reference.

sudo find / -iname ‘*.conf’
—cut—
/etc/vsftpd/vsftpd.conf
/root/vsftpd.conf
—cut—
In reference to timestamps what you are really interested in are two requirements, the name of the file and the time it was changed.

You can perform searches with more than one search criterion. If you separate the criteria with a space, it will be the same as placing an “and” operator between them. The “-mtime -7″ switch to find all of the “.conf” files that were modified within the last seven days.

sudo find / -iname ‘*.conf’ -mtime -7
/etc/mplayerplug-in.conf
/etc/awstats/awstats.model.conf
/etc/awstats/awstats.localhost.localdomain.conf
/etc/httpd/conf.d/awstats.conf
/etc/yumex.profiles.conf
/var/cache/yum/yumex-mirror-cache.conf
—cut—

There are several important parts to find. First you will need to use sudo to be able to access many files as they will be owned by root. Use the find command followed by the directory you want to search. If you want to search the whole server use “/”. If you want to limit your search to a specific directory indicate that. Using the -iname is the easiest option as it allows all files regardless of case.

The important part is looking for a text string which must be enclosed in single quotes. A common wildcard is to use the “*” indicating it will match anything. So ‘*.conf’ will match any file that ends with “.conf”. If you use ‘*.*’ it will be a wildcard for anything. The -mtime is a search for files modified within a time period.

Here are some practical examples:

Files on the system modified within the last 24 hours. Note this is looking for all types of files on the whole system.

sudo find / -iname ‘*.*’ -mtime -1

Files that have changed in the /var/www directory in the last week.

sudo find /var/www -iname ‘*.*’ -mtime -7

Files that have changed in the apache web server configuration directory in the last 14 days.

sudo find /etc/apache2 -iname ‘*.*’ -mtime -14

You can change your search with find to locate files that have been accessed within a time period. For example if you wanted to locate files that have been accessed in the /usr/share directory you could use this command:

find /usr/share -iname ‘*.*’ -atime -1

That would list files accessed by a user or the system within the last 24 hours in the /usr/share directory.

About these ads
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 57 other followers

%d bloggers like this: