Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

filesystem change monitor on windows LightWeight Forwarder

steveirogers
Communicator
‎07-25-2012 11:24 AM

Installation: Universal Forwarder 4.3.2
I am trying to use the FileSystem monitor to monitor the files in inputs.conf.
I added this stanza to the "inputs.conf" file and restarted the Forwarder. 

[fschange://E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

I then made several configuration changes to "inputs.conf" (and restarted the Forwarder) but I do not see any events n the "_audit" index. Where am I going wrong? Thanks

0 Karma
Reply

steveirogers
Communicator
‎07-26-2012 01:32 PM 
No success as yet.  I modified the fsmonitor stanza on the Forwarder as follows:
[fschange:E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

I have made changes to the "inputs.conf" file in that location, restarted the Splunk service, but no events are showing in "index=_audit" for this this or in any other index for that matter.
I went ahead and upgraded the Windows Forwarder to version 4.3.3 and the Indexer is also at 4.3.3 to see if that would change anything, but it did not. Thanks for your help. At this time I will probably submit this to Splunk support.

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎07-25-2012 12:53 PM

I think you just need to take out the first two slashes. It is different than the monitor stanza.

[fschange:E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorchangestoyourfilesystem

Also if this is running from a forwarder is when you set the index = _audit, otherwise if it is local you don't have to do that.

To forward file system change monitor events from a universal forwarder, you must set signedaudit = false and index=_audit:

[fschange:<directory or file to monitor>]
signedaudit = false
index=_audit

With this workaround, file system change monitor events are indexed in the _audit index with sourcetype set to fs_notification and source set to fschangemonitor, instead of the default value of audittrail for both sourcetype and source .
Reply

steveirogers
Communicator
‎07-25-2012 03:02 PM

Thank you dmaislin_splunk. I will try that and see if it works.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...