https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15203#M1680 <P>Trying to monitor changes to configuration files.</P> <P>Followed this article: <A href="http://www.splunk.com/base/Documentation/4.0.9/Admin/Monitorchangestoyourfilesystem" rel="nofollow">http://www.splunk.com/base/Documentation/4.0.9/Admin/Monitorchangestoyourfilesystem</A></P> <P>Created Data Input in Splunk Manager. Here is the inputs.conf (added pollPeriod manually):</P> <P></P><HR /><P></P> <P>[monitor://\192.168.1.12\Siteroot\Web.config]</P> <P>disabled = false</P> <P>host = SIT-APP-shared</P> <P>host_regex = </P> <P>host_segment = </P> <P>index = main</P> <P>sourcetype = </P> <P>pollPeriod = 60</P> <P></P><HR /><P></P> <P>Restarted splunk after changes, share has full permissions for everyone.</P> <P>Then I change web.config file. Do search in Splunk - nothing.</P> <P>Does the configuration look right? How do I debug it to see if it's connecting to the share, how often, error messages etc.?</P> Thu, 10 Jun 2010 03:17:47 GMT kkuminsky 2010-06-10T03:17:47Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15203#M1680 <P>Trying to monitor changes to configuration files.</P> <P>Followed this article: <A href="http://www.splunk.com/base/Documentation/4.0.9/Admin/Monitorchangestoyourfilesystem" rel="nofollow">http://www.splunk.com/base/Documentation/4.0.9/Admin/Monitorchangestoyourfilesystem</A></P> <P>Created Data Input in Splunk Manager. Here is the inputs.conf (added pollPeriod manually):</P> <P></P><HR /><P></P> <P>[monitor://\192.168.1.12\Siteroot\Web.config]</P> <P>disabled = false</P> <P>host = SIT-APP-shared</P> <P>host_regex = </P> <P>host_segment = </P> <P>index = main</P> <P>sourcetype = </P> <P>pollPeriod = 60</P> <P></P><HR /><P></P> <P>Restarted splunk after changes, share has full permissions for everyone.</P> <P>Then I change web.config file. Do search in Splunk - nothing.</P> <P>Does the configuration look right? How do I debug it to see if it's connecting to the share, how often, error messages etc.?</P> Thu, 10 Jun 2010 03:17:47 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15203#M1680 kkuminsky 2010-06-10T03:17:47Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15204#M1681 <P>What you want to do is fschange (filesystem change) monitoring which is different from monitoring. If you modify you configuration to look like that in the example on the page you linked to, it should work:</P> <PRE><CODE>[fschange:/var/apache] index = sample recurse = true followLinks = false signedaudit = false fullEvent = true sendEventMaxSize = 1048576 delayInMills = 1000 </CODE></PRE> Thu, 10 Jun 2010 13:28:15 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15204#M1681 the_wolverine 2010-06-10T13:28:15Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15205#M1682 <P>Yes, you are right. It looks like I shouldn't rely that much on GUI.</P> <P>So, I've changed the config (see below). Now I don't see this record in Splunk Manager under Data Inputs anymore. Also, when I make changes to the file I'm still not able to find any records when doing search.</P> <HR /> <P>[fschange:\10.255.1.20\Siteroot\Web.config]</P> <P>index = main</P> <P>recurse = true</P> <P>followLinks = false</P> <P>signedaudit = false</P> <P>fullEvent = true</P> <P>sendEventMaxSize = 1048576</P> <P>delayInMills = 1000</P> <P>pollPeriod = 60</P> Thu, 10 Jun 2010 21:30:56 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15205#M1682 kkuminsky 2010-06-10T21:30:56Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15206#M1683 <P>It appears that it's working for local files - [fschange:C:\TEMP\test.txt], but not for network - [fschange:\10.255.1.20\Siteroot\Web.config]</P> <P>So, I guess the question is how to monitor files on other machines in the network.</P> Thu, 10 Jun 2010 22:23:30 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15206#M1683 kkuminsky 2010-06-10T22:23:30Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15207#M1684 <P>OK, the reason it was not working is that Splunk services were running under Local System account.</P> <P>Here are the articles I used to fix it:</P> <P><A href="http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindows#Choosing_the_user_Splunk_should_run_as" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindows#Choosing_the_user_Splunk_should_run_as</A></P> <P><A href="http://www.splunk.com/base/Documentation/latest/Installation/CorrectingtheuserselectedduringWindowsinstallation" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Installation/CorrectingtheuserselectedduringWindowsinstallation</A></P> Fri, 11 Jun 2010 00:16:54 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-changes-to-configuration-files/m-p/15207#M1684 kkuminsky 2010-06-11T00:16:54Z