I have a universal forwarder sending logs to Splunk and with monitor, everything is working just fine. However, I thought I'd test out fschange to log file system modifications on some of my Linux hosts. To that end I've modified the $SPLUNK/etc/system/local/inputs.conf so it reads as follows:
[default]
host = Hostname
[filter:whitelist:configs]
regex1 = .*\.txt
[filter:blacklist:terminal-blacklist]
regex1 = .?
[fschange:/path/to/dir]
index = _audit
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000
filters = configs,terminal-blacklist
This sample was taken directly from http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Monitorchangestoyourfilesystem
With the above configuration I would expect that any changes to a txt file in the monitored directory would be logged. However, if I make a change to a txt file in that directory, no log entry is observed in Splunk.
I'm running Splunk 4.3.3, UF 4.3.4, and have the nix Technology Add-on installed (I need this).
Any help would be appreciated as I'm sure it's something small that I've overlooked.
... View more