topic Monitor empty files? in Getting Data In

Monitor empty files?

ftk — Tue, 16 Apr 2013 14:43:10 GMT

I have a business need to monitor 0 kb files. I can get this to work using fschange, however with fschange being deprecated in 5.x this is not a viable option. I would prefer using monitor rather than a script, and only want to index new files, with the system time being used as timestamp (DATETIME_CONFIG=CURRENT).

Any ideas?

Re: Monitor empty files?

bmacias84 — Tue, 16 Apr 2013 15:54:08 GMT

This will vary depending on OS. Which OS are you trying to do this for?

Re: Monitor empty files?

ftk — Tue, 23 Jul 2013 17:48:38 GMT

OS is Windows 2008.

Re: Monitor empty files?

gregbujak — Tue, 23 Jul 2013 18:09:54 GMT

Do these files grow? Do you need to know that they stayed empty and you want to know when they start growing? Or is it a simple flag that indicates something happened?

Re: Monitor empty files?

ftk — Tue, 23 Jul 2013 18:14:22 GMT

The files never grow. They are being used as a simple flag by the vendor, i.e. ABCD.zip will receive ABCD.done at 0 kb length to flag the file as processed.

Re: Monitor empty files?

bmacias84 — Tue, 23 Jul 2013 21:07:31 GMT

If you don't want to use a script or a modular input then Windows Security Auditing. You will have to monitor the Security Event Logs. The Windows Security Event logs can be really noisy, so you might have to build some transforms to filter data.

On your windows Server right click folder/directory. Select Properties
Click Security Tab. Click Advanced.
Click Auditing Tab. Click Edit
Click Add...
For Object Name enter: EVERYONE. Click Check Name. Click OK
Managing audit Windows will appear. Check Successful and Failed for the following accesses: Create Files/ Write data; Create folders / append data; Delete subfolders and files; delete

This should give you what you need. Though its been a while so you going to have dig up the EventID corresponding to the create/append/delte of a file. Think it might be 560, 4616. Also you may need to turn on Audit object access through Local Group Policy.

Additional info:

http://whatevernetworks.com/?p=108

Hope this helps or gets you started. If you have additional question I'll try to help.

Re: Monitor empty files?

ftk — Wed, 24 Jul 2013 15:45:42 GMT

That's a great idea. Not sure why I didn't think of that since we are using the SACLs for FIM already...thanks!

Re: Monitor empty files?

ben_leung — Wed, 10 Sep 2014 03:28:35 GMT

I have the same situation where we have to monitor files that are 0kb. The forwarder hangs during this time and creates a lag time for any other files to be monitored. This is in a linux base OS. How would you resolve the hang time?