I would like to setup file system change monitoring on my Windows server (using fschange) where my users private folders reside (e.g. F:\MyUsers). I have configured the inputs.conf file on my server where Splunk is running. I restarted Splunk (also rebooted the Splunk server).
I then created a text file in my own folder (F:\MyUsers\myuserfolder). I also tried modifying an existing file in this folder. Splunk doesn't pick up my changes. However when I search the index where I'm placing these events I see events for a few users (e.g. F:\MyUsers\jdoefolder). I verified permissions. Administratively the permissions are the same across all folders.
Why would Splunk not index changes from all subfolders?
asked 12 Jul '10, 19:38
I am pretty new to fschange, but in your inputs.conf do you have "recurse=true" set? I'm guessing you do since it's picking up other users' changes, but I figure it's worth a shot!
answered 12 Aug '10, 20:27