.TH filegone 8  "2022-11-18" "USER COMMANDS"
.SH NAME
filegone \- Trace why file gone (deleted or renamed). Uses Linux eBPF/bcc.
.SH SYNOPSIS
.B filegone [\-h] [\-p PID]
.SH DESCRIPTION
This traces why file gone/vanished, providing information on who deleted or
renamed the file. 

This works by tracing the kernel vfs_unlink() , vfs_rmdir() , vfs_rename
functions.

Since this uses BPF, only the root user can use this tool.
.SH REQUIREMENTS
CONFIG_BPF and bcc.
.SH OPTIONS
.TP
\-h
Print usage message.
.TP
\-p PID
Trace this process ID only (filtered in-kernel).
.SH EXAMPLES
.TP
Trace all file gone events
#
.B filegone
.TP
Trace file gone events caused by PID 181:
#
.B filegone \-p 181
.SH FIELDS
.TP
TIME
Time of the event.
.TP
PID
Process ID that renamed/deleted the file.
.TP
COMM
Process name for the PID.
.TP
ACTION
action on file: 'DELETE' or 'RENAME'
.TP
FILE
Filename.
.SH OVERHEAD
This traces the kernel VFS file rename and delete functions and prints output
for each event. As the rate of this is generally expected to be low
(< 1000/s), the overhead is also expected to be negligible.
This is from bcc.
.IP
https://github.com/iovisor/bcc
.PP
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
.SH OS
Linux
.SH STABILITY
Unstable - in development.
.SH AUTHOR
Curu Wong
.SH SEE ALSO
filelife(8)