File monitoring
First Claim
1. A computer-implemented method for monitoring one or more files, the method comprising:
- detecting, by a kernel filter driver, a file-write request for a file of a set of files;
copying, by the kernel filter driver, one or more blocks of file-write information from the file-write request to a kernel buffer, the file write information corresponding to a file-write event;
receiving, at a user mode process running a kernel buffer retrieval operation in a user mode, a portion of data from the kernel buffer comprising file-write information corresponding to at least one file-write event;
for each block of file-write information corresponding to one file-write event, in the received portion of data, labeling the block of file-write information according to a source of the file-write event; and
providing the labeled block of file-write information to a monitoring application in the user mode.
1 Assignment
0 Petitions
Accused Products
Abstract
Various methods and systems for monitoring files in a computer system are provided. In this regard, aspects of the invention facilitate file monitoring without file handle use, as it pertains to file monitoring and tailing, thereby mitigating file handle locking conflicts. In various implementations, information for the monitored files is obtained from the kernel using a filter driver in the I/O path. When the filter driver detects write operations being performed on monitored files, file-write data is copied and placed in a kernel buffer, where it can be pulled by a user mode monitoring process and fed to a monitoring application. As such, there is no need for coordination between the monitoring process and the user mode processes of other third-party applications writing data to monitored files.
4 Citations
26 Claims
-
1. A computer-implemented method for monitoring one or more files, the method comprising:
-
detecting, by a kernel filter driver, a file-write request for a file of a set of files; copying, by the kernel filter driver, one or more blocks of file-write information from the file-write request to a kernel buffer, the file write information corresponding to a file-write event; receiving, at a user mode process running a kernel buffer retrieval operation in a user mode, a portion of data from the kernel buffer comprising file-write information corresponding to at least one file-write event; for each block of file-write information corresponding to one file-write event, in the received portion of data, labeling the block of file-write information according to a source of the file-write event; and providing the labeled block of file-write information to a monitoring application in the user mode. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for monitoring one or more files, the system comprising:
-
one or more data processors; and one or more computer-readable storage media containing instructions which, when executed on the one or more data processors, cause the one or more processors to perform operations including; detecting, by a kernel filter driver, a file-write request for a file of a set of files; copying, by the kernel filter driver, one or more blocks of one or more blocks of file-write information from the file-write request to a kernel buffer, the file-write information corresponding to a file-write event; receiving, at a user mode process running a kernel buffer retrieval operation in a user mode, a portion of data from the kernel buffer comprising at file-write information corresponding to at least one file-write event; for each block of file-write information corresponding to one file-write event, in the received portion of data, labeling the block of file-write information according to a source of the file-write event; and providing the labeled block of file-write information to a monitoring application in the user mode. - View Dependent Claims (20, 21)
-
-
22. One or more non-transitory computer storage media storing computer-executable instructions that, when executed by a computing device, perform a method for monitoring one or more files, the method comprising:
-
detecting, by a kernel filter driver, a file-write request for a file of a set of files; copying, by the kernel filter driver, one or more blocks of file-write information from the file-write request to a kernel buffer, the file-write information corresponding to a file-write event; receiving, at a user mode process running a kernel buffer retrieval operation in a user mode, a portion of data from the kernel buffer comprising at file-write information corresponding to at least one file-write event; for each block of file-write information corresponding to one file-write event, in the received portion of data, labeling the block of file-write information according to a source of the file-write event; and providing the labeled block of file-write information to a monitoring application in the user mode. - View Dependent Claims (23, 24, 25, 26)
-
Specification