fatrace

Print file access events in all mounted filesystems to stdout

$ sudo fatrace

$ sudo fatrace [[-C|--command]] [program_name]

$ sudo fatrace [[-c|--current-mount]]

$ sudo fatrace [[-t|--timestamp]]

fatrace [options] [seconds]

-h, --help
    Display help text and exit.

-V, --version
    Display version information and exit.

-c
    Do not print close() events.

-f filter
    Filter events by string (comma-separated): open,close,read,write,opencat. opencat shows open fd category (e.g., RDONLY).

-o output
    Output to file instead of stdout.

-r
    Print events in reverse order (newest first).

Fatrace is a lightweight Linux tool for dynamically tracing file access system calls across all processes. It uses the kernel's fanotify API (Linux 2.6.37+) to monitor open(2), read(2), write(2), and close(2) events system-wide, providing visibility without per-process overhead like strace.

Output includes timestamp, PID, PPID, UID, event type, and filename, making it ideal for debugging I/O performance issues, auditing file accesses, identifying disk bottlenecks, or verifying application behavior. For example, it reveals which processes touch config files or generate heavy writes.

Run as root for full coverage (marks all mount points). Filters reduce noise, and options support timed runs or file logging. While efficient, busy systems produce high output volume; use -c or -f to focus events. Limitations include no tracing of mmap(2) or sendfile(2).

Requires root (CAP_SYS_ADMIN). Fanotify kernel 2.6.37+. Misses mmap(2), sendfile(2). High overhead/output on busy filesystems; filter wisely.

timestamp pid ppid uid event filename
Example: 14:45:32.123456 2323 1234 1000 open /etc/passwd

fatrace 10 — Trace for 10 seconds.
fatrace -c -f open,read -o log.txt — Filtered opens/reads to file.

Developed by Brendan Gregg in 2013 for Linux performance tools. Uses fanotify for low-overhead tracing; available in distros via trace-cmd or bpftrace extras.

strace(1), perf-record(1), fanotify(7)