diff --git a/sysmonitor-1.3.2/module/Makefile b/sysmonitor-1.3.2/module/Makefile
index 8030152a0b6ca5a047252bf42c4380d921a5ca10..24cd3e6aa14adb524accf4ae20b7503f7c206ae3 100644
--- a/sysmonitor-1.3.2/module/Makefile
+++ b/sysmonitor-1.3.2/module/Makefile
@@ -4,7 +4,7 @@
 # Create: 2018-12-15
 
 obj-m += sysmonitor.o
-sysmonitor-objs := sysmonitor_main.o signo_catch.o fdstat.o monitor_netdev.o
+sysmonitor-objs := sysmonitor_main.o signo_catch.o fdstat.o monitor_netdev.o monitor_inotify.o
 KERNELDIR ?= /lib/modules/$(shell uname -r)/build
 PWD := $(shell pwd)
 EXTRA_CFLAGS += -Wall -Werror
diff --git a/sysmonitor-1.3.2/module/monitor_inotify.c b/sysmonitor-1.3.2/module/monitor_inotify.c
new file mode 100644
index 0000000000000000000000000000000000000000..ada5218fb2db0be6ccb60130d4b85c02fcc46082
--- /dev/null
+++ b/sysmonitor-1.3.2/module/monitor_inotify.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2024-2024. All rights reserved.
+ * Description: monitor inotify module
+ * Author: xietangxin
+ * Create: 2024-02-05
+ */
+#include "monitor_inotify.h"
+
+#include <linux/kprobes.h>
+
+#include "sysmonitor_main.h"
+
+struct fsnotify_group *g_fm_group;
+
+static struct kprobe inotify_ioctl_kp = {
+	.symbol_name = "inotify_ioctl"
+};
+
+static struct kprobe inotify_handle_inode_event_kp = {
+	.symbol_name = "inotify_handle_inode_event"
+};
+
+static int inotify_ioctl_kp_handler(struct kprobe *p, struct pt_regs *regs) 
+{
+	struct file *file = (struct file *)PT_REGS_PARM1(regs);
+	unsigned int cmd = (unsigned int)PT_REGS_PARM2(regs);
+	struct fsnotify_group *group = file->private_data;
+	printk("inotify cmd %x\n", cmd);
+	if (cmd == INOTIFY_IOC_SET_SYSMONITOR_FM) {
+		g_fm_group = group;
+		printk("set filemonitor private group sucess.\n");
+	}
+	return 0;
+}
+
+static int inotify_handle_inode_event_kp_handler(struct kprobe *p, struct pt_regs *regs) 
+{
+	struct inotify_event_process_info info;
+	struct fsnotify_mark *inode_mark;
+	struct fsnotify_group *group;
+	struct inotify_inode_mark *i_mark;
+	struct qstr *name;
+	unsigned int mask;
+
+	inode_mark = (struct fsnotify_mark *)PT_REGS_PARM1(regs);
+	mask = (unsigned int)PT_REGS_PARM2(regs);
+	name = (struct qstr *)PT_REGS_PARM5(regs);
+	group = inode_mark->group;
+	i_mark = container_of(inode_mark, struct inotify_inode_mark, fsn_mark);
+
+	if (g_fm_group == group) {
+		info.pid = current->pid;
+		memcpy(info.comm, current->comm, TASK_COMM_LEN);
+		info.parent_pid = current->parent->pid;
+		memcpy(info.parent_comm, current->parent->comm, TASK_COMM_LEN);
+		info.mask = mask;
+		info.wd = i_mark->wd;
+		if (name)
+			memcpy(info.name, name->name, INOTIFY_EVENT_NAME_LEN);
+		printk("%d(%s)->%d(%s)\n", info.pid, info.comm, info.parent_pid, info.parent_comm);
+		printk("mask:0x%x wd:%d event_name:%s\n", info.mask, info.wd, info.name);
+		(void)save_msg(INOTIFY, &info, sizeof(info));
+	}
+	return 0;
+}
+
+void monitor_inotify_init(void)
+{
+	inotify_ioctl_kp.pre_handler = inotify_ioctl_kp_handler;
+	inotify_handle_inode_event_kp.pre_handler = inotify_handle_inode_event_kp_handler;
+	register_kprobe(&inotify_ioctl_kp);
+	register_kprobe(&inotify_handle_inode_event_kp);
+	printk(KERN_INFO "monitor_inotify: register inotify kprobe\n");
+}
+
+void monitor_inotify_exit(void)
+{
+	unregister_kprobe(&inotify_ioctl_kp);
+	unregister_kprobe(&inotify_handle_inode_event_kp);
+	printk(KERN_INFO "monitor_inotify: unregister inotify kprobe\n");
+}
+
diff --git a/sysmonitor-1.3.2/module/monitor_inotify.h b/sysmonitor-1.3.2/module/monitor_inotify.h
new file mode 100644
index 0000000000000000000000000000000000000000..4087c37353f32b2b527e27f7134f7ec991a466ed
--- /dev/null
+++ b/sysmonitor-1.3.2/module/monitor_inotify.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) Huawei Technologies Co., Ltd. 2024-2024. All rights reserved.
+ * Description: monitor inotify module
+ * Author: xietangxin
+ * Create: 2024-02-05
+ */
+#ifndef MONITOR_INOTIFY_H
+#define MONITOR_INOTIFY_H
+#include <linux/sched.h>
+#include <linux/fsnotify_backend.h>
+
+#define INOTIFY_IOC_SET_SYSMONITOR_FM	0xABAB
+#define INOTIFY_EVENT_NAME_LEN	128
+
+// copy from fs/notify/inotify.h
+struct inotify_inode_mark
+{
+	struct fsnotify_mark fsn_mark;
+	int wd;
+};
+
+struct inotify_event_process_info {
+    int pid;
+    int parent_pid;
+    char comm[TASK_COMM_LEN];
+    char parent_comm[TASK_COMM_LEN];
+	unsigned int mask;
+	int wd;
+	char name[INOTIFY_EVENT_NAME_LEN];
+};
+
+void monitor_inotify_init(void);
+void monitor_inotify_exit(void);
+
+#endif
diff --git a/sysmonitor-1.3.2/module/signo_catch.c b/sysmonitor-1.3.2/module/signo_catch.c
index c038e161ff19ad7b41cdbffce38d6274d3e1dc61..88cef33eb75f63f6ed56bbb75715e38b47b16d6d 100644
--- a/sysmonitor-1.3.2/module/signo_catch.c
+++ b/sysmonitor-1.3.2/module/signo_catch.c
@@ -257,21 +257,11 @@ out:
 
 static int pre_handler(struct kprobe *p, struct pt_regs *regs) 
 {
-#ifdef CONFIG_ARM64
 	send_sig_info_data_t data;
-	data.sig = regs->regs[0];
-	data.info = (struct kernel_siginfo *)((unsigned long *)regs->regs[1]);
-	data.p = (struct task_struct *)((unsigned long *)regs->regs[2]);
+	data.sig = PT_REGS_PARM1(regs);
+	data.info = (struct kernel_siginfo *)((unsigned long *)PT_REGS_PARM2(regs));
+	data.p = (struct task_struct *)((unsigned long *)PT_REGS_PARM3(regs));
 	do_store_sig_info(&data);
-#endif
-
-#ifdef CONFIG_X86_64
-	send_sig_info_data_t data;
-	data.sig = regs->di;
-	data.info = (struct kernel_siginfo *)((unsigned long *)regs->si);
-	data.p = (struct task_struct *)((unsigned long *)regs->dx);
-	do_store_sig_info(&data);
-#endif
 	return 0;
 }
 
diff --git a/sysmonitor-1.3.2/module/sysmonitor_main.c b/sysmonitor-1.3.2/module/sysmonitor_main.c
index a55403787cbb9d5efb48eb5a1efb6afa08cba63c..f193f5e7cd053c1931f03dd27f03e51b48b4ee4b 100644
--- a/sysmonitor-1.3.2/module/sysmonitor_main.c
+++ b/sysmonitor-1.3.2/module/sysmonitor_main.c
@@ -16,6 +16,7 @@
 #include "signo_catch.h"
 #include "fdstat.h"
 #include "monitor_netdev.h"
+#include "monitor_inotify.h"
 
 #define NET_RATELIMIT_BURST_MIN 0
 #define NET_RATELIMIT_BURST_MAX 100
@@ -141,7 +142,6 @@ int save_msg(int type, const void *msg, int msg_size)
 {
 	struct sysmonitor_msg *tmp_msg = NULL;
 	unsigned int index;
-	int ret;
 	unsigned long flags;
 
 	if (msg_size <= 0) {
@@ -164,12 +164,10 @@ int save_msg(int type, const void *msg, int msg_size)
 	g_msg_buf_seq++;
 	spin_unlock_irqrestore(&g_msg_buf_lock, flags);
 
-	if (ret == 0) {
-		if (waitqueue_active(&g_msg_wait))
-			wake_up_interruptible(&g_msg_wait);
-	}
+	if (waitqueue_active(&g_msg_wait))
+		wake_up_interruptible(&g_msg_wait);
 
-	return ret;
+	return 0;
 }
 
 static int __init sysmonitor_module_init(void)
@@ -182,6 +180,7 @@ static int __init sysmonitor_module_init(void)
 	signo_catch_init();
 	fdstat_init();
 	monitor_netdev_init();
+	monitor_inotify_init();
 	return 0;
 }
 
@@ -191,6 +190,7 @@ static void __exit sysmonitor_module_exit(void)
 	signo_catch_exit();
 	fdstat_exit();
 	monitor_netdev_exit();
+	monitor_inotify_exit();
 }
 module_init(sysmonitor_module_init);
 module_exit(sysmonitor_module_exit);
diff --git a/sysmonitor-1.3.2/module/sysmonitor_main.h b/sysmonitor-1.3.2/module/sysmonitor_main.h
index 41da5f3859e2296354d3f61cf9b8d4f30ab9febd..d08c4a0a95d197a69e3c7dc0f9c98a09d9159346 100644
--- a/sysmonitor-1.3.2/module/sysmonitor_main.h
+++ b/sysmonitor-1.3.2/module/sysmonitor_main.h
@@ -7,11 +7,26 @@
 #ifndef SYSMONITOR_H
 #define SYSMONITOR_H
 
+#if defined(CONFIG_ARM64)
+#define PT_REGS_PARM1(x) ((x)->regs[0])
+#define PT_REGS_PARM2(x) ((x)->regs[1])
+#define PT_REGS_PARM3(x) ((x)->regs[2])
+#define PT_REGS_PARM4(x) ((x)->regs[3])
+#define PT_REGS_PARM5(x) ((x)->regs[4])
+#elif defined(CONFIG_X86_64)
+#define PT_REGS_PARM1(x) ((x)->di)
+#define PT_REGS_PARM2(x) ((x)->si)
+#define PT_REGS_PARM3(x) ((x)->dx)
+#define PT_REGS_PARM4(x) ((x)->cx)
+#define PT_REGS_PARM5(x) ((x)->r8)
+#endif
+
 #define NOTIFY_CALL_PRIORITY 100
 enum sysmonitor_event_type {
 	SIGNAL,
 	FDSTAT,
-	NETWORK
+	NETWORK,
+	INOTIFY
 };
 
 unsigned long get_sigcatchmask(void);
diff --git a/sysmonitor-kmod.spec b/sysmonitor-kmod.spec
index 2662c2633bfbfe82c213cd8de521803dcf73709f..61fa2976d3c6c18577199cad271e1e727fd8cc86 100644
--- a/sysmonitor-kmod.spec
+++ b/sysmonitor-kmod.spec
@@ -108,7 +108,7 @@ install -m 600 conf/logind_monitor %{buildroot}%{_sysconfdir}/sysmonitor.d/
 install -m 500 script/logind_clear.sh  %{buildroot}/usr/libexec/sysmonitor/
 
 install -m 0600 service/sysmonitor.service $RPM_BUILD_ROOT/usr/lib/systemd/system/sysmonitor.service
-ln -s ../sysmonitor.service $RPM_BUILD_ROOT/usr/lib/systemd/system/multi-user.target.wants/sysmonitor.service
+# ln -s ../sysmonitor.service $RPM_BUILD_ROOT/usr/lib/systemd/system/multi-user.target.wants/sysmonitor.service
 
 %post
 %systemd_post sysmonitor.service
@@ -165,7 +165,7 @@ systemctl daemon-reload 2>/dev/null 1>/dev/null
 
 %config(noreplace) %{_sysconfdir}/sysmonitor.d/*
 /usr/lib/systemd/system/sysmonitor.service
-/usr/lib/systemd/system/multi-user.target.wants/sysmonitor.service
+# /usr/lib/systemd/system/multi-user.target.wants/sysmonitor.service
 
 %changelog
 * Sat May 27 2023 xietangxin<xietangxin@huawei.com> - 1.3.2-1.0