LogAnalysis
[logs] OS/X Thumb drive activity logger May 31 2008 08:01AM
ron dilley (ron dilley gmail com) (1 replies)
RE: [logs] OS/X Thumb drive activity logger Jun 02 2008 05:09PM
Paul Melson (pmelson gmail com) (1 replies)
Re: [logs] OS/X Thumb drive activity logger Jun 02 2008 05:41PM
ron dilley (ron dilley gmail com)
Paul,

It does, too bad the fseventsd messages are not very verbose.

-----
May 30 16:07:40 oddball fseventsd[38]: log dir: /Volumes/Mac
Backup/.fseventsd getting new uuid: 4AC6B60F-66AE-45F3-AEC7-BC0617139C39
May 30 17:00:07 oddball fseventsd[38]: event logs in /Volumes/Mac
Backup/.fseventsd out of sync with volume. destroying old logs. (3047 1
3147)
May 30 17:00:07 oddball fseventsd[38]: log dir: /Volumes/Mac
Backup/.fseventsd getting new uuid: 390B2F9C-7379-41D2-8D66-D1D8C075C68C
May 30 17:43:46 oddball fseventsd[38]: event logs in /Volumes/Mac
Backup/.fseventsd out of sync with volume. destroying old logs. (2437 1
2619)
May 30 17:43:46 oddball fseventsd[38]: log dir: /Volumes/Mac
Backup/.fseventsd getting new uuid: 0DD3442F-AE4E-475F-ABEB-9A835FF7A425
May 30 20:17:43 oddball fseventsd[38]: log dir: /Volumes/Untitled/.fseventsd
getting new uuid: 5CE41EE7-90FE-4E54-B8E6-3B392F41C9BE
May 30 20:24:31 oddball fseventsd[38]: log dir: /Volumes/NO NAME/.fseventsd
getting new uuid: 3DC03185-1E3C-428C-AC66-6201B1C163AB
-----

It would be nice to get a bit more from dmesg or mount (but this is getting
way off topic) . . .
-----
Initializing USB Mass Storage driver...
scsi2 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 6
usb-storage: waiting for device to settle before scanning
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
scsi 2:0:0:0: Direct-Access WDC WD10 EACS-00ZJB0 1B01 PQ: 0 ANSI: 2
CCS
sd 2:0:0:0: [sdb] 1953525168 512-byte hardware sectors (1000205 MB)
sd 2:0:0:0: [sdb] Write Protect is off
sd 2:0:0:0: [sdb] Mode Sense: 00 38 00 00
sd 2:0:0:0: [sdb] Assuming drive cache: write through
sd 2:0:0:0: [sdb] 1953525168 512-byte hardware sectors (1000205 MB)
sd 2:0:0:0: [sdb] Write Protect is off
sd 2:0:0:0: [sdb] Mode Sense: 00 38 00 00
sd 2:0:0:0: [sdb] Assuming drive cache: write through
sdb: sdb1
sd 2:0:0:0: [sdb] Attached SCSI disk
sd 2:0:0:0: Attached scsi generic sg2 type 0
usb-storage: device scan complete
-----

vmd generates transaction logs:
-----
Jun 2 10:25:31 oddball vmd[9299]: action=FSE_CONTENT_MODIFIED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/live.0.shadowIndexHead
Jun 2 10:25:31 oddball vmd[9299]: action=FSE_STAT_CHANGED file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/store.updates
Jun 2 10:25:31 oddball vmd[9299]: action=FSE_CONTENT_MODIFIED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/store.updates
Jun 2 10:25:31 oddball vmd[9299]: action=FSE_STAT_CHANGED file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/live.0.indexUpdates
Jun 2 10:25:31 oddball vmd[9299]: action=FSE_CONTENT_MODIFIED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/live.0.indexUpdates
Jun 2 10:25:31 oddball vmd[9299]: action=FSE_CONTENT_MODIFIED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/live.0.indexHead
Jun 2 10:25:31 oddball vmd[9299]: action=FSE_CONTENT_MODIFIED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/0.indexHead
Jun 2 10:25:31 oddball vmd[9299]: action=FSE_DELETE file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/journalAttr.925
-----

Thanks,

Ron

On Mon, Jun 2, 2008 at 10:09 AM, Paul Melson <pmelson (at) gmail (dot) com [email concealed]> wrote:

> > I could not find a tool that logs USB drive activity on OS/X so I put
> together another 'poor mans solution' using syslog.
>
> Parsing /var/log/system.log for 'fseventsd' should show you all USB drive
> mount events:
>
> $ grep fseventsd /var/log/system.log
> Jun 2 13:01:15 mini2 fseventsd[39]: log dir: /Volumes/NO NAME/.fseventsd
> getting new uuid: 6C2D7881-D24A-424B-A3C0-32C32A403047
>
>
> PaulM
>
>
>
Paul,<br>
<br>
It does, too bad the fseventsd messages are not very verbose.<br>
<br>
-----<br>
May 30 16:07:40 oddball fseventsd[38]: log dir: /Volumes/Mac
Backup/.fseventsd getting new uuid: 4AC6B60F-66AE-45F3-AEC7-BC0617139C39<br>
May 30 17:00:07 oddball fseventsd[38]: event logs in /Volumes/Mac
Backup/.fseventsd out of sync with volume.  destroying old logs. (3047
1 3147)<br>
May 30 17:00:07 oddball fseventsd[38]: log dir: /Volumes/Mac
Backup/.fseventsd getting new uuid: 390B2F9C-7379-41D2-8D66-D1D8C075C68C<br>
May 30 17:43:46 oddball fseventsd[38]: event logs in /Volumes/Mac
Backup/.fseventsd out of sync with volume.  destroying old logs. (2437
1 2619)<br>
May 30 17:43:46 oddball fseventsd[38]: log dir: /Volumes/Mac
Backup/.fseventsd getting new uuid: 0DD3442F-AE4E-475F-ABEB-9A835FF7A425<br>
May 30 20:17:43 oddball fseventsd[38]: log dir:
/Volumes/Untitled/.fseventsd getting new uuid:
5CE41EE7-90FE-4E54-B8E6-3B392F41C9BE<br>
May 30 20:24:31 oddball fseventsd[38]: log dir: /Volumes/NO
NAME/.fseventsd getting new uuid: 3DC03185-1E3C-428C-AC66-6201B1C163AB<br>
-----<br>
<br>
It would be nice to get a bit more from dmesg or mount (but this is getting way off topic) . . .<br>
-----<br>
Initializing USB Mass Storage driver...<br>
scsi2 : SCSI emulation for USB Mass Storage devices<br>
usb-storage: device found at 6<br>
usb-storage: waiting for device to settle before scanning<br>
usbcore: registered new interface driver usb-storage<br>
USB Mass Storage support registered.<br>
scsi 2:0:0:0: Direct-Access     WDC WD10 EACS-00ZJB0      1B01 PQ: 0 ANSI: 2 CCS<br>
sd 2:0:0:0: [sdb] 1953525168 512-byte hardware sectors (1000205 MB)<br>
sd 2:0:0:0: [sdb] Write Protect is off<br>
sd 2:0:0:0: [sdb] Mode Sense: 00 38 00 00<br>
sd 2:0:0:0: [sdb] Assuming drive cache: write through<br>
sd 2:0:0:0: [sdb] 1953525168 512-byte hardware sectors (1000205 MB)<br>
sd 2:0:0:0: [sdb] Write Protect is off<br>
sd 2:0:0:0: [sdb] Mode Sense: 00 38 00 00<br>
sd 2:0:0:0: [sdb] Assuming drive cache: write through<br>
 sdb: sdb1<br>
sd 2:0:0:0: [sdb] Attached SCSI disk<br>
sd 2:0:0:0: Attached scsi generic sg2 type 0<br>
usb-storage: device scan complete<br>
-----<br>
<br>
vmd generates transaction logs:<br>
-----<br>
Jun  2 10:25:31 oddball vmd[9299]: action=FSE_CONTENT_MODIFIED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/live.0.shadowIndexHead<br>
Jun  2 10:25:31 oddball vmd[9299]: action=FSE_STAT_CHANGED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/store.updates<br>
Jun  2 10:25:31 oddball vmd[9299]: action=FSE_CONTENT_MODIFIED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/store.updates<br>
Jun  2 10:25:31 oddball vmd[9299]: action=FSE_STAT_CHANGED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/live.0.indexUpdates<br>
Jun  2 10:25:31 oddball vmd[9299]: action=FSE_CONTENT_MODIFIED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/live.0.indexUpdates<br>
Jun  2 10:25:31 oddball vmd[9299]: action=FSE_CONTENT_MODIFIED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/live.0.indexHead<br>
Jun  2 10:25:31 oddball vmd[9299]: action=FSE_CONTENT_MODIFIED
file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/0.indexHead<br>
Jun  2 10:25:31 oddball vmd[9299]: action=FSE_DELETE file=/Volumes/Mac
Backup/.Spotlight-V100/Store-V1/Stores/0AC77940-546E-4B6E-8B6B-5EAB404A2
02D/journalAttr.925<br>
-----<br>
<br>
Thanks,<br>
<br>
Ron<br><br><div class="gmail_quote">On Mon, Jun 2, 2008 at 10:09 AM, Paul Melson <<a href="mailto:pmelson (at) gmail (dot) com [email concealed]">pmelson (at) gmail (dot) com [email concealed]</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">> I could not find a tool that logs USB drive activity on OS/X so I put<br>
together another 'poor mans solution' using syslog.<br>
<br>
</div>Parsing /var/log/system.log for 'fseventsd' should show you all USB drive<br>
mount events:<br>
<br>
$ grep fseventsd /var/log/system.log<br>
Jun  2 13:01:15 mini2 fseventsd[39]: log dir: /Volumes/NO NAME/.fseventsd<br>
getting new uuid: 6C2D7881-D24A-424B-A3C0-32C32A403047<br>
<br>
<br>
PaulM<br>
<br>
<br>
</blockquote></div><br>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus