File system event tracking

US 7,818,801 B2
Filed: 09/26/2006
Issued: 10/19/2010
Est. Priority Date: 09/26/2006
Status: Active Grant

First Claim

Patent Images

1. A file system audit method, comprising:

intercepting, by a kernel level application, file system events;

recording the intercepted file system events in a kernel memory;

retrieving the recorded file system events from kernel memory to a user level memory;

identifying, from the retrieved file system events, a first file system event changing a first file system object'"'"'s name from a first name to a second name;

identifying, from the retrieved file system events, a second file system event changing a second file system object'"'"'s name to the first name;

consolidating the first and second file system events into a distinct third file system event; and

recording the third file system event as a file modification event for the first file system object.

View all claims

27 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Automated file system event tracking and reporting techniques are described in which file system events requested by a user application are intercepted and recorded prior to the request being permitted to pass to the file system for execution. Similarly, file system responses to a prior captured file system event are also intercepted and recorded. Predefined patterns of file system event may be aggregated and reported as a single event.

14 Citations

View as Search Results

12 Claims

1. A file system audit method, comprising:
- intercepting, by a kernel level application, file system events;
  
  recording the intercepted file system events in a kernel memory;
  
  retrieving the recorded file system events from kernel memory to a user level memory;
  
  identifying, from the retrieved file system events, a first file system event changing a first file system object'"'"'s name from a first name to a second name;
  
  identifying, from the retrieved file system events, a second file system event changing a second file system object'"'"'s name to the first name;
  
  consolidating the first and second file system events into a distinct third file system event; and
  
  recording the third file system event as a file modification event for the first file system object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising, prior to the act of consolidating, identifying, from the retrieved file system events, a file system delete event for the first file system object.
  - 3. The method of claim 1, whereinthe act of identifying the first file system event comprises determining a first time associated with the first file system event,the act identifying the second file system event comprises determining a second time associated with the second file system event, andthe act of consolidating occurs only if the time between the first and second times is within a specified range.
  - 4. The method of claim 3, wherein the specified range is approximately 2 seconds.
  - 5. The method of claim 1, wherein the act of recording comprises writing to a log.
  - 6. The method of claim 1, wherein the act of writing to a log comprises writing to a database.
  - 7. The method of claim 6, wherein the database comprises a SQL database.
  - 8. A program storage device, readable by a programmable control device, comprising instructions stored on the program storage device for causing the programmable control device to perform the method of claim 1.

9. A file system audit method, comprising:
- intercepting, by a kernel level application, file system events;
  
  recording the intercepted file system events in a kernel memory;
  
  retrieving the recorded file system events from kernel memory to a user level memory;
  
  identifying, from the retrieved file system events, a first file system event copying a first file system object from a first location to a second location;
  
  identifying, from the retrieved file system events, a second file system event deleting the first file system object from the first location;
  
  consolidating the first and second file system events into a distinct third file system event; and
  
  recording the third file system event as a file move event for the first file system object.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein the act of consolidating occurs only if a time associated with the first file system event and a time associated with the second file system event within a specified time interval.
  - 11. The method of claim 10, wherein the specified time interval is approximately 2 seconds.
  - 12. A program storage device, readable by a programmable control device, comprising instructions stored on the program storage device for causing the programmable control device to perform the method of claim 9.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
ScriptLogic Corporation (Quest Software, Inc.)
Inventors
Small, Brian Thomas
Primary Examiner(s)
GERGISO, TECHANE

Application Number

US11/535,317
Publication Number

US 20080077988A1
Time in Patent Office

1,484 Days
Field of Search

726/22, 707/672
US Class Current

726/22
CPC Class Codes

G06F 11/3476 Data logging G06F11/14, G06...

G06F 2201/86 Event-based monitoring

File system event tracking

First Claim

27 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

File system event tracking

First Claim

27 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links