Finding Changes with Timestamps
Timestamps are important in terms of diagnostics because they provide you with information about when an event occurred. For example, when a file was last changed. This information alone is invaluable for troubleshooting. The timestamp represents the last time the file was modified. As you look at these examples, you can see they all have different modification dates.
Dates. The file training was modified 2000-07-05 at 19.01 and the file squid.rtf was modified 2008-05-27 at 16:24 so you can see both date and time are available.
-rw-r–r– 1 mike mike 30722 2008-07-05 19:01 training
-rw-r–r– 1 mike mike 997 2008-05-27 16:24 squid.rtf
In these examples you see a directory, notice the “d” at the start of the line. The dates of this same directory are different because a sub-directory was changed in test so the second example reflects that change.
drwxr-xr-x 3 mike mike 4096 2008-08-13 16:47 test
drwxr-xr-x 4 mike mike 4096 2008-08-14 09:21 test
A powerful utility for locating changes is the find command. With the Linux find utility, you can perform powerful searches on just about any criterion you can think of, and then–from the same command-line entry–invoke another utility to do whatever you need to do with the results.
In order to perform the most basic of searches, you’ll need to specify two things:
The search path–You can perform a search in either a specific path, or the entire filesystem. Since find is inherently recursive, the search will automatically extend to all of the subdirectories beneath of the directory that you specify.
What you’re searching for–There are a lot of ways that you can specify this. You can search for files of a specific name, and decide whether to make the search case-sensitive. You can also use wildcards, or search for files with certain characteristics or that are of a certain age. Or, you can combine multiple criteria for even more specific searches. The main thing that limits you is your own imagination.
So now, for example if you want to search the entire filesystem for all files whose names end in “.conf”. You’ll want to use either the “-name” or the “-iname” switch in front of the file description that you want to search for. Otherwise, you’ll get a jumbled up mess of every directory listing that you’ve searched, with the information you’re looking for mixed in. For case-sensitive searches, use “-name”; for case-insensitive searches, use “-iname”. In this case, use “-iname”, since you want to make the search case-insensitive. If you include a wildcard character in with a search criterion, you’ll need to enclose that search criterion in quotes. That will keep the shell from interpreting the wildcard character as an ambiguous file reference.
sudo find / -iname ‘*.conf’
In reference to timestamps what you are really interested in are two requirements, the name of the file and the time it was changed.
You can perform searches with more than one search criterion. If you separate the criteria with a space, it will be the same as placing an “and” operator between them. The “-mtime -7″ switch to find all of the “.conf” files that were modified within the last seven days.
sudo find / -iname ‘*.conf’ -mtime -7
There are several important parts to find. First you will need to use sudo to be able to access many files as they will be owned by root. Use the find command followed by the directory you want to search. If you want to search the whole server use “/”. If you want to limit your search to a specific directory indicate that. Using the -iname is the easiest option as it allows all files regardless of case.
The important part is looking for a text string which must be enclosed in single quotes. A common wildcard is to use the “*” indicating it will match anything. So ‘*.conf’ will match any file that ends with “.conf”. If you use ‘*.*’ it will be a wildcard for anything. The -mtime is a search for files modified within a time period.
Here are some practical examples:
Files on the system modified within the last 24 hours. Note this is looking for all types of files on the whole system.
sudo find / -iname ‘*.*’ -mtime -1
Files that have changed in the /var/www directory in the last week.
sudo find /var/www -iname ‘*.*’ -mtime -7
Files that have changed in the apache web server configuration directory in the last 14 days.
sudo find /etc/apache2 -iname ‘*.*’ -mtime -14
You can change your search with find to locate files that have been accessed within a time period. For example if you wanted to locate files that have been accessed in the /usr/share directory you could use this command:
find /usr/share -iname ‘*.*’ -atime -1
That would list files accessed by a user or the system within the last 24 hours in the /usr/share directory.
Leave a Reply Cancel reply
- Breaking News: Debian moves to LibreOffice
- Sabayon 6.0 Available For Download
- Monitoring User/Application Activity with psacct
- The Speed of Firefox 5.0
- Using the find Command to Locate Files h
- Protecting Nagios From Zero-Day Exploits
- RELEASE: Gentoo Linux LiveDVD 11.0 http:
- Nagios V-Shell Review and Mike Guthrie Interview
- OpenSUSE 11.3 Released
- Shared Wire Connection in Ubuntu
- Back In Time : System Restore on Ubuntu
- Making Sense of DNS
- Ubuntu Dropbox
- Change Ubuntu Login Screen
- Debian Installer
- Guest Post: Selecting a Linux Distribution
- Sabayon 5.1 Gamers Linux Screenshots
- PCLinuxOS 2009.2 MiniMe Video and Screenshots
- Pentoo 2009.0 Screenshots
- Calculate Linux 10.0 Screenshots
- Mounting an NTFS drive in Debian
- Insert Page Numbers in Openoffice Writer
- Figuring Out Group Permissions in Linux
- Saving Changes for iptables
- The Many Flavors of Linux
- Back In Time : System Restore on Ubuntu
- Modify Your Command Prompt
- Remote Display of the X Protocol
- How to Create an Internet Radio Station
- Installing Skype on Ubuntu 9.04