Topics: Red Hat / Linux, System Admin


Incron is an interesting piece of software for Linux, that can monitor for file changes in a specific folder, and can act upon those file changes. For example, it's possible to wait for files to be written in a folder, and have a command run to process these files.

Incron is not installed by default and is part of the EPEL repository. For Red Hat and CentOS 7, it's also possible to just download the RPM package from, for example using wget.

To install incron, run:

# yum -y install /path/to/incron*rpm
There are 4 files important for incron:
  • /etc/incron.conf - The main configuration file for incron, but this file can be left configured as default.
  • /usr/sbin/incrond - This is the incron daemon that will have to run for incron to work. You can simply start it by executing this command, and it will automatically run in the background. When it's no longer needed, you can simply kill the process of /usr/sbin/incrond. However, its better to enable the service as system boot time and start the service:
    # systemctl enable incrond.service
    # service incrond start
  • /var/log/cron - This is the default location where the incron daemon will log its activities (through rsyslog). The file is also used by the cron daemon, so you may see other messages in this file. By using the tail command on this file, you can monitor what the incron daemon is doing. For example:
    # tail -f /var/log/cron
  • The incrontab file - You can edit this file by running:
    # incrontab -e
    This command will automatically load the incrontab file in an editor like VI, and you can add/modify/remove entries this way. Once you save the file, its contents will be automatically activated by the incron daemon. To list the entries in the incrontab file, run:
    # incrontab -l
There's a specific format to the entries in the incrontab file mentioned above, and the format looks like this:

[path] [mask] [command]

  • [path] is the folder that the incron daemon will be monitoring for any new files (only in the folder itself, not in any sub-folders).
  • [mask] is the activity that the incron daemon should respond to. There are several different available activities to choose from. For a list of options, see One option that can be used is "IN_CLOSE_WRITE", which means, act if a file is closed for writing, meaning, writing to a file in the folder has been completed.
  • [command] is the command to be run by the incron daemon when a file activity takes place in the monitored path. For this command you can use available wildcards, such as:
    • $@ : watched filesystem path
    • $# : event-related file name
An example of the incrontab file can be:
/path/to/my/folder IN_CLOSE_WRITE /path/to/script.bash $@ $#
You can have multiple entries in the incrontab file, each on a separate line. In the example above, the incron daemon will start script /path/to/script.bash with two parameters (the path of the monitored folder, and the name of the file that was written to the folder), for each file that has been closed for writing in folder /path/to/my/folder.

To monitor the status of the incron daemon, run:
# service incrond status
To restart the incron daemon, run:
# service incrond stop
# service incrond start
Or shorter:
# service incrond restart
There is a downside to using incron, which is, that there is no way to limit the number of processes that can be started by the incron daemon. If a thousand files are written to the folder monitored by the incron daemon, then it will kick off the defined proces in the incrontab file for that folder a thousand times. This may place some serious CPU load on a system (or even hang up the system), especially if the command being run is CPU and/or memory intensive.

If you found this useful, here's more on the same topic(s) in our blog:

UNIX Health Check delivers software to scan Linux and AIX systems for potential issues. Run our software on your system, and receive a report in just a few minutes. UNIX Health Check is an automated check list. It will report on perfomance, capacity, stability and security issues. It will alert on configurations that can be improved per best practices, or items that should be improved per audit guidelines. A report will be generated in the format you wish, and the report includes the issues discovered and information on how to solve the issues as well.

Interested in learning more?