|
SplunkLightForwarder + nix app + fschange, can this work? From what i read, when enabling the light forwarder it disables the fschange module. In my scenario, having to use the full forwarder to get those above 2 things seems rather overkill. |
|
I don't know why people keep saying that enabling the light forwarder disables fschange. It does not. (If you wouldn't mind linking to where you read that, I will have it corrected.) looks like i was referencing non official documenation on the limitations of the light forwarder, it looks like splunk 3.x had this limitation based on: http://www.splunk.com/base/index.php?title=Documentation:Tmp:EnableTheSplunkForwarderOrLightForwarder:3.4&diff=prev&oldid=34873#What.27s_different_about_the_Splunk_light_forwarder.3F and id also seen it mentioned on numerous forum/wikis
(10 May '10, 06:19)
bbeveridge
It sounds as if there is a bug with light forwarder and fschange. From Known Issues at http://www.splunk.com/base/Documentation/latest/ReleaseNotes/Knownissues : When configuring file system change monitor (fschange) on a forwarder, if signedaudit = true and index=_audit are not explicitly set, fschange events do not get forwarded. (SPL-25294) Also in Answers http://answers.splunk.com/questions/2882/using-fschange-to-monitor-windows-filesystem
(24 Aug '10, 16:59)
Jason
|
