Refine your search:

Using fschange to monitor Windows filesystem

1

I'm trying to set up fschange to monitor a folder on one of our servers (running Splunk v4.1.2) using the following stanza (in inputs.conf on host xyz):

[fschange:E:\testfschange\]
index=mysamples
pollPeriod=60
followLinks=true
fullEvent=true
delayInMills=1000
host=abc.int.hlc.com

I restarted Splunk after this change then created a new document and stored it in this folder. I've also made a change to a document in the folder. I'm monitoring Splunk to see if this shows up but nothing is getting set to Splunk. Part of me wonders if I have to actually have this set up in the inputs.conf file on the host where the folder I want to monitor resides. If this is the case how have people handled deployment apps? Do you just create a separate stanza for each host/folder in serverclas.conf and then inputs.conf?

What are the requirements to get fschange to work? Do I also have to have Windows auditing enabled? If so this would seem like overkill since events are getting set to the security log when you enable Windows file auditing.

Thanks.

asked 24 May '10, 17:40

snowmizer's gravatar image

snowmizer
4302415
accept rate: 33%

edited 03 Feb '11, 14:39

Lowell's gravatar image

Lowell ♦
11.1k91289
2 Answers:
oldestnewestmost voted
0

A few things:

  1. inputs.conf is on the server where Splunk is installed. That's where you should add stanza.

  2. I don't see such parameter as "host=" for fschange. Please, go through the following article about fschange (http://www.splunk.com/base/Documentation/4.0.9/Admin/Monitorchangestoyourfilesystem). If you want to monitor files or folder on the remote server, you probably wanna use a network path. Something like

    [fschange:\\abc.int.hlc.com\e$\testfschange]

  3. Was mysamples index created for this particular monitoring task or there are already events in there? You may wanna try any index with existing events first to make sure it's not an index file issue.

  4. If you are going to monitor files through the network, make sure Splunk services are running under the accounts that have appropriate permissions (http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindows#Choosing_the_user_Splunk_should_run_as).

link

answered 14 Jun '10, 13:47

kkuminsky's gravatar image

kkuminsky
3727
accept rate: 33%

moving my config to the inputs.conf file on my server where Splunk is installed and changing the path worked.

Couple of questions:

  1. What does it mean when "too_small" is appended to the sourcetype when you add text to a file?
  2. Is there any way to see what user made the change?

Thanks.

(24 Jun '10, 15:06) snowmizer
0

Are you by any chance adding the fschange monitor on a forwarder? If so, this is broken (unless you want to pipe it into the _audit index, which may or may not be enough for you). Was in 4.1.2 and is in 4.1.3.

http://www.splunk.com/base/Documentation/4.1.2/ReleaseNotes/Knownissues

Support has been unable to provide me with an ETA for the fix.

As a workaround I use a regular monitor stanza combined with a custom sourcetype to index full files of interest. You can still run diffs and whatnot on the files that way. And since you're on windows you can enable object level auditing via group or local policy and log what user made the change for accounting purposes.

I use the following monitor to index changes to my splunk configs for example (inputs.conf):

[monitor://C:\Program Files\Splunk\etc\...\*.conf]
followTail = False
sourcetype = splunk_config
index = my_custom_index
disabled = false

and define the splunk_config sourcetype in props.conf as such:

[splunk_config]
BREAK_ONLY_BEFORE=goblygook
MAX_EVENTS=200000
DATETIME_CONFIG = NONE
CHECK_METHOD = modtime
pulldown_type = true
LEARN_MODEL = false

this combination will index all files under splunk\etc ending in .conf. The BREAK_ONLY_BEFORE=gooblybook basically tells splunk not to break the event (in this case the conf file) until it encounters "gooblygook" which shouldn't be in any of your files.

It would be better to use fschange but until it is fixed on forwarders this workaround should do.

link

answered 14 Jun '10, 17:27

ftk's gravatar image

ftk ♦
6.8k1727
accept rate: 38%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×81

Asked: 24 May '10, 17:40

Seen: 2,573 times

Last updated: 03 Feb '11, 14:39

Related questions

Using fschange monitor on Windows UF

Use Fschange to monitor log files for errors

Monitoring For A Folder Creation Using Fschange

Indexing full events using fschange on a universal forwarder

Using fschange to monitor files on linux server from windows splunk server

What is the correct syntax to have fschange search multiple directories?

How can I ignore archive staus change with fschange?

Is this a bug or can I do anything about it ?

Copyright © 2005-2012 Splunk Inc. All rights reserved.