ZFS Snaphot Diffs - Logging

[billh]

I am interested in using TrueNAS due to the great capabilities of the filesystem ZFS. I also like the idea of the block level replication as a backup option. My current backup solution is quite slow however it does keep great logs about what changes between basically snapshots.

When using ZFS snapshot functionality and send/receive, I would also like to run a diff between the two most recent snapshots and information sent to a log file for data integrity checks. I want to know if files have all been modified due to ransonware or other malicious activity. I assume the snapshots do not log the file change differences as it's just performing the task at the block level.

Is there any logging project out there like sanoid/syncoid scripts that would provide this function with the zfs diff command? I searched around I didn't find any information. I imagine someone before me audits their filesystem changes between backups. Maybe there is a better way and I am unaware. Thanks for any suggestions!

 

[jgreco]

I assume the snapshots do not log the file change differences as it's just performing the task at the block level.

That's correct. However, because blocks are rewritten, it would probably be easy to write a check to see if there was a large delta between the current and previous snapshots. You can do that by looking at the size of the snapshot.

You can also choose to pick a known good snapshot and then run zfs diff against it, and count how many changes are there. It's a few lines of scripting.

 

[billh]

Thanks for the reply. I was afraid of that! I am not that great at script writing. I would prefer to see the actual file changes so I would probably go with a weekly diff comparing the previous week snapshot to the newest. I'll have to figure out snapshot naming conventions and how to write a script with the regex to match on the filenames that will change probably by date.