https://community.splunk.com/t5/Getting-Data-In/Splunk-Self-Monitoring/m-p/100402#M21007 <P>HOWEVER, our security team did like event hashing.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/Eventhashing">http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/Eventhashing</A></P> Thu, 18 Apr 2013 21:46:26 GMT I_am_Jeff 2013-04-18T21:46:26Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Self-Monitoring/m-p/100399#M21004 <P>My security people have asked if there is a self-monitoring capability in Splunk to track situations such as</P> <UL> <LI>A disgruntled employee does something and tries to cover his track by<BR /> modifying the log file <STRONG>and</STRONG> the Splunk index, either by editing or removal.</LI> </UL> Fri, 25 Jan 2013 19:34:10 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Self-Monitoring/m-p/100399#M21004 I_am_Jeff 2013-01-25T19:34:10Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Self-Monitoring/m-p/100400#M21005 <P>By default Splunk monitors changes to $SPLUNK_HOME/etc/. Changes to the index and log files are probably best tracked with operating system level changes. You could use fschange, but it is deprecated and as such, won't be around forever. </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/FSChangelocal">http://docs.splunk.com/Documentation/Splunk/latest/Data/FSChangelocal</A></P> <P>However, in my opinion, operating system level tools(auditd) are preferable to something like fschange.</P> Fri, 25 Jan 2013 19:39:11 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Self-Monitoring/m-p/100400#M21005 jbsplunk 2013-01-25T19:39:11Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Self-Monitoring/m-p/100401#M21006 <P>Yup. I knew about fschange going away. And it's always difficult to have the watcher watch itself in a meaningful and trusted way. Thank you for your comments!</P> Fri, 25 Jan 2013 20:35:23 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Self-Monitoring/m-p/100401#M21006 I_am_Jeff 2013-01-25T20:35:23Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Self-Monitoring/m-p/100402#M21007 <P>HOWEVER, our security team did like event hashing.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/Eventhashing">http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/Eventhashing</A></P> Thu, 18 Apr 2013 21:46:26 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Self-Monitoring/m-p/100402#M21007 I_am_Jeff 2013-04-18T21:46:26Z