filegone - Trace why file gone (deleted or renamed). Uses Linux eBPF/bcc.

       Curu Wong

       This traces why file gone/vanished, providing information on who deleted or renamed the file.

       This works by tracing the kernel vfs_unlink() , vfs_rmdir() , vfs_rename functions.

       Since this uses BPF, only the root user can use this tool.

       Trace all file gone events
              # filegone

       Trace file gone events caused by PID 181:
              # filegone-p181

       TIME   Time of the event.

       PID    Process ID that renamed/deleted the file.

       COMM   Process name for the PID.

       ACTION action on file: 'DELETE' or 'RENAME'

       FILE   Filename.

       filegone - Trace why file gone (deleted or renamed). Uses Linux eBPF/bcc.

       -h     Print usage message.

       -p PID Trace this process ID only (filtered in-kernel).

       Linux

       This traces the kernel VFS file rename and delete functions and prints output for each event. As the rate
       of this is generally expected to be low (< 1000/s), the overhead is also expected to be negligible.  This
       is from bcc.

              https://github.com/iovisor/bcc

       Also  look  in  the bcc distribution for a companion _examples.txt file containing example usage, output,
       and commentary for this tool.

       CONFIG_BPF and bcc.

filelife(8)

USER COMMANDS                                      2022-11-18                                        filegone(8)

       Unstable - in development.

filegone[-h][-pPID]