I'm trying to set up fschange to monitor a folder on one of our servers (running Splunk v4.1.2) using the following stanza (in inputs.conf on host xyz):
I restarted Splunk after this change then created a new document and stored it in this folder. I've also made a change to a document in the folder. I'm monitoring Splunk to see if this shows up but nothing is getting set to Splunk. Part of me wonders if I have to actually have this set up in the inputs.conf file on the host where the folder I want to monitor resides. If this is the case how have people handled deployment apps? Do you just create a separate stanza for each host/folder in serverclas.conf and then inputs.conf?
What are the requirements to get fschange to work? Do I also have to have Windows auditing enabled? If so this would seem like overkill since events are getting set to the security log when you enable Windows file auditing.
A few things:
answered 14 Jun '10, 13:47
Are you by any chance adding the fschange monitor on a forwarder? If so, this is broken (unless you want to pipe it into the _audit index, which may or may not be enough for you). Was in 4.1.2 and is in 4.1.3.
Support has been unable to provide me with an ETA for the fix.
As a workaround I use a regular monitor stanza combined with a custom sourcetype to index full files of interest. You can still run diffs and whatnot on the files that way. And since you're on windows you can enable object level auditing via group or local policy and log what user made the change for accounting purposes.
I use the following monitor to index changes to my splunk configs for example (inputs.conf):
and define the splunk_config sourcetype in props.conf as such:
this combination will index all files under splunk\etc ending in .conf. The BREAK_ONLY_BEFORE=gooblybook basically tells splunk not to break the event (in this case the conf file) until it encounters "gooblygook" which shouldn't be in any of your files.
It would be better to use fschange but until it is fixed on forwarders this workaround should do.
answered 14 Jun '10, 17:27