topic Re: fschange won't work in Getting Data In

fschange won't work

SplunkUser5888 — Tue, 02 Oct 2012 13:13:08 GMT

Hey guys,

I've looked everywhere and as far as I could tell none of the other answers helped my problem. As you can guess I'm relatively new so go easy on me 😜

I've managed to get fschange to work with $splunkhome/etc (who hasn't right?) but when I change the directory to /home/administrator/Documents it doesn't work. I wanted to do this as a test to see if I could get fschange to work before sticking it to do the real work with actual files.

My problem is i've tried everything I know (which isn't much) I've even done a search

index=_internal source="splunkd.log3 /documents

to see if it there were any reported problems in the logs ... nothing

here is my code, I know it's probable obvious where I went wrong, but I would really appreciate any help yuo could give me, thanks

[default]
host = ubuntu-splunk

[fschange:/home/administrator/Documents]
index = _audit
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000

in the inputs.conf in /etc/system/local

Re: fschange won't work

Ayn — Tue, 02 Oct 2012 13:33:18 GMT

I fixed your formatting a bit - is this how your config files look like?

Re: fschange won't work

Ayn — Tue, 02 Oct 2012 13:34:34 GMT

In your inputs.conf you specify that the fschange events should be written to the index _audit, but in your search you're looking in the index _internal...

Re: fschange won't work

SplunkUser5888 — Tue, 02 Oct 2012 13:36:46 GMT

thanks for that, yeah it is basically like that except that instead of blanks on the return lines, i added #

Re: fschange won't work

SplunkUser5888 — Tue, 02 Oct 2012 13:41:53 GMT

I thought that's what you type to get infor on the splunkd logs, when I change to _audit, I get no results, where as when I keep _internal, I get the errors I had with my previous syntax show up, but it doesn't show any errors since the ones I fixed, but still, no results

Re: fschange won't work

Ayn — Tue, 02 Oct 2012 13:45:14 GMT

Ah, sorry, I misread - I thought you were looking for the actual events in _internal. Does a search for index=_internal fschange show anything interesting?

Also does the user Splunk is running as have read access to the directory you're wanting to run fschange on?

Re: fschange won't work

SplunkUser5888 — Tue, 02 Oct 2012 13:56:03 GMT

the search brings back some http requests and the old errors I made before changing the syntax to how you see it now. As for the user, it was a normal user which i've now changed to admin, I will be starting a conference in a minute so I will test it tomorrow and get back to you, thanks for the help though

Re: fschange won't work

MuS — Wed, 03 Oct 2012 06:51:22 GMT

then I come back with my initial comment; does the user running splunkd have permission to read in /home/administrator/Documents ?

Re: fschange won't work

SplunkUser5888 — Wed, 03 Oct 2012 07:16:49 GMT

Hey, I tested the setup after making Splunk user have admin privileges and restarted, ran again and nothing. I still can't find any errors in the log, and I still can't find the input when I add, change or delete a file / folder in the /Documents section

Re: fschange won't work

Ayn — Wed, 03 Oct 2012 07:26:56 GMT

Well as far as I can tell the config you pasted looks OK. I could try with your exact settings later on and see what the results are.

Re: fschange won't work

SplunkUser5888 — Wed, 03 Oct 2012 08:20:55 GMT

I've solved it, I think I had conflicts so I changed inputs.conf completely.

[default]
host = ubuntu-splunk
[fschange:/home/administrator/Documents/]
index = main
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

and now I find my changes/adds/deletes when I search

index=main sourceype="fs_notification"

Re: fschange won't work

SplunkUser5888 — Wed, 03 Oct 2012 08:27:29 GMT

hey, sorry I didn't see your reply, I've solved it, either my config was right and I was looking in the wrong place or I got the wrong config, but the one I wrote in the answer I gave works just fine. Thanks for your help though.

Re: fschange won't work

Ayn — Wed, 03 Oct 2012 08:35:55 GMT

Excellent that you solved it 🙂