https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251832#M28878 <P>Using latest version I'm still having issues. Only seeing occasional logging to the correctly configured index on restarting the service. The interval is being ignored here.</P> <P>Looking at internal logs:<BR /> Index=_internal source="C:\Program Files\Splunk\var\log\splunk\file_meta_data_modular_input.log"</P> <P>Seeing events like:</P> <P>INFO Completed retrieval of file data....<BR /> WARNING Unable to get the ACL data, reason=(5, 'GetFileSecurity', 'Access is denied.')...<BR /> INFO Time is later than filter, st_mtime=1322859631.165719, must_be_later_than=None, path='...<BR /> INFO Time is later than filter, st_ctime=1330974351.030764, must_be_later_than=None, path=...</P> Tue, 29 Sep 2020 14:13:49 GMT smudge797 2020-09-29T14:13:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251825#M28871 <P>After installing File/Directory Information Input add-on on Splunk 6.5.1 for Windows and configuring to UNC path, I see the following:</P> <PRE><CODE>INFO Time is later than filter, st_mtime=1459251861.8578942, must_be_later_than=None </CODE></PRE> Tue, 24 Jan 2017 17:03:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251825#M28871 smudge797 2017-01-24T17:03:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251826#M28872 <P>@smudge797 - Please provide more information and context as to what you need help with as it is not clear. Generally, the more information you provide, the better chance of being answered by experts in the Answers community. Thank you.</P> Tue, 24 Jan 2017 17:17:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251826#M28872 aaraneta_splunk 2017-01-24T17:17:44Z https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251827#M28873 <P>Make sure that NTP is set on both your forwarder (the Windows machine) and the Indexers. Things cannot happen in the future.</P> Tue, 24 Jan 2017 19:06:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251827#M28873 woodcock 2017-01-24T19:06:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251828#M28874 <P>This is the app: <A href="https://splunkbase.splunk.com/app/2776/" target="_blank">https://splunkbase.splunk.com/app/2776/</A></P> <P>This is the configured input:</P> <P>[file_meta_data://ACETestFolder]<BR /> file_hash_limit = 500MB<BR /> file_path = \\acetest<BR /> include_file_hash = 0<BR /> interval = 15m<BR /> only_if_changed = 1<BR /> recurse = 1</P> <P>There is an initial pull of events seen in the main index, some 3k events<BR /> similar to this:<BR /> time="Tue Jan 24 16:37:39 2017" is_directory=1 file_count=0 directory_count=16 path=\\acetest atime="Thu Dec 22 12:52:26 2016" atime_epoch=1482429146.82 ctime="Thu Oct 15 16:15:49 2015" ctime_epoch=1444940149.33 dev=0 gid=0 ino=0 mode=16895 mtime="Thu Dec 22 12:52:26 2016" mtime_epoch=1482429146.82 nlink=0 size=4096 uid=0 owner=Administrators\BUILTIN owner...(lots more fields)</P> <P>All events have same timestamp time="Tue Jan 24 16:37:39 2017" which is correctly indexed in main.</P> <P>In the index= _internal source="C:\Program Files\Splunk\var\log\splunk\file_meta_data_modular_input.log"<BR /> Events like:<BR /> 2017-01-24 16:37:34,867 INFO Time is later than filter, st_mtime=1482429146.8163483, must_be_later_than=0, path='\\\acetest'</P> <P>Have second input:</P> <P>[file_meta_data://fileTest]<BR /> file_hash_limit = 500MB<BR /> file_path = \\someshare_archive06$<BR /> include_file_hash = 0<BR /> interval = 15m<BR /> only_if_changed = 1<BR /> recurse = 1<BR /> disabled = 0</P> <P>No events in main.</P> <P>index=_internal source="C:\Program Files\Splunk\var\log\splunk\file_meta_data_modular_input.log"</P> <P>2017-01-24 17:35:24,240 INFO Time is later than filter, st_mtime=1333460403.592, must_be_later_than=0, path="\\\someshare_archive06$\~filedetails.xlsm3.xlsm"</P> <P>Also lost of these:</P> <P>2017-01-24 17:29:38,009 ERROR Error when processing path="blah", reason="(1332, 'LookupAccountSid', 'No mapping between account names and security IDs was done.')" Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_meta_data.py", line 381, in get_file_data windows_acl_info = cls.get_windows_acl_data(file_path, logger) File "C:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_meta_data.py", line 254, in get_windows_acl_data sid_resolved = win32security.LookupAccountSid(None, sid) error: (1332, 'LookupAccountSid', 'No mapping between account names and security IDs was done.')</P> Tue, 29 Sep 2020 12:32:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251828#M28874 smudge797 2020-09-29T12:32:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251829#M28875 <P>NTP is working.</P> Thu, 26 Jan 2017 15:34:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251829#M28875 smudge797 2017-01-26T15:34:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251830#M28876 <P>The only thing I can think of is that something in your environment isn't allowing the account SID to be looked up.</P> <P>I'm going to make input succeed even if the SID lookup fails.</P> Fri, 17 Mar 2017 04:54:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251830#M28876 LukeMurphey 2017-03-17T04:54:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251831#M28877 <P>This happens when there is no mapping between the account names and the SIDs available on the host. See <A href="http://www.rebeladmin.com/2016/01/how-to-fix-error-no-mapping-between-account-names-and-security-ids-in-active-directory/">http://www.rebeladmin.com/2016/01/how-to-fix-error-no-mapping-between-account-names-and-security-ids-in-active-directory/</A> for information.</P> <P>I am going to modify the input so that it proceeds even if SID lookup fails. This will done under <A href="https://lukemurphey.net/issues/1789">this ticket</A> and will be released in version 1.1.1.</P> <P><STRONG>Update</STRONG></P> <P>I just released version 1.1.1 which should allow the input to work even if the SID and account name mapping doesn't exist on the host. You won't get the Windows ACL data if this condition exists, but the input will still run.</P> <P>Please let me know if that fixes the problem (or just accept this answer).</P> Fri, 17 Mar 2017 05:05:07 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251831#M28877 LukeMurphey 2017-03-17T05:05:07Z https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251832#M28878 <P>Using latest version I'm still having issues. Only seeing occasional logging to the correctly configured index on restarting the service. The interval is being ignored here.</P> <P>Looking at internal logs:<BR /> Index=_internal source="C:\Program Files\Splunk\var\log\splunk\file_meta_data_modular_input.log"</P> <P>Seeing events like:</P> <P>INFO Completed retrieval of file data....<BR /> WARNING Unable to get the ACL data, reason=(5, 'GetFileSecurity', 'Access is denied.')...<BR /> INFO Time is later than filter, st_mtime=1322859631.165719, must_be_later_than=None, path='...<BR /> INFO Time is later than filter, st_ctime=1330974351.030764, must_be_later_than=None, path=...</P> Tue, 29 Sep 2020 14:13:49 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251832#M28878 smudge797 2020-09-29T14:13:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251833#M28879 <P>A few things to look into:</P> <OL> <LI>Do the "Time is later than filter" logs include the files that you want logs for? This would indicate that the input is skipping the files because it doesn't detect that they have changed.</LI> <LI>Are you sure that Splunk has access to the files you want it to monitor? The permission errors seen previously might be an indicator that Splunk doesn't have access to the files.</LI> <LI>You might try disabling the option to only include new results to see if you get the results you want.</LI> </OL> Tue, 23 May 2017 17:33:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/After-installing-the-File-Directory-Information-Input-add-on-why/m-p/251833#M28879 LukeMurphey 2017-05-23T17:33:26Z