https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107987#M22696 <P>I fully agree with dabbank!</P> Tue, 27 Nov 2012 14:48:31 GMT dvb 2012-11-27T14:48:31Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107980#M22689 <P>Why is FSChange a deprecated feature in Splunk 5.0? </P> Tue, 30 Oct 2012 20:55:24 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107980#M22689 BP9906 2012-10-30T20:55:24Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107981#M22690 <P>The fschange input is deprecated in 5.0 for two reasons.</P> <P>First, it does not run predictably on all platforms. Since it has been that way for some time, many felt that was a form of 'implicit' deprecation. We prefer to be open whenever possible, so we decided the time had come to signal that this feature had too many caveats. </P> <P>Second, it does not do what is generally required for audit use cases, which is track the user/account making the change. Most OS/FS pairs provide high quality, out-of-the-box tools to do this already. In fact our guidance has been to use those tools in most cases, leaving little room for a Splunk-maintained feature. </P> <P>We are considering migrating the file metadata capabilities of fschange into monitor. That won't help the second point, but would be parity with fschange. If you would like to weigh in to support that, please file an enhancement request with our support team; both so we know your use case, and can get back to you personally.</P> Tue, 30 Oct 2012 21:24:23 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107981#M22690 cervelli 2012-10-30T21:24:23Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107982#M22691 <P>When is Splunk planning on dropping support for fschange completely?</P> Wed, 31 Oct 2012 18:42:00 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107982#M22691 responsys_cm 2012-10-31T18:42:00Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107983#M22692 <P>There is no decision on when to remove fschange. The input will be supported for at least as long as 4.3.x is supported.</P> Wed, 31 Oct 2012 20:04:06 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107983#M22692 cervelli 2012-10-31T20:04:06Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107984#M22693 <P>How long is that? This slightly related a previous question I had. <A href="http://splunk-base.splunk.com/answers/55847/splunk-support-and-end-of-life">http://splunk-base.splunk.com/answers/55847/splunk-support-and-end-of-life</A></P> Wed, 31 Oct 2012 21:24:52 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107984#M22693 kristian_kolb 2012-10-31T21:24:52Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107985#M22694 <P>Per the support agreement, (<A href="http://www.splunk.com/web_assets/pdfs/support/SplunkSupportAgreement.pdf">http://www.splunk.com/web_assets/pdfs/support/SplunkSupportAgreement.pdf</A>) until the second major release (e.g. 6.0) or 24 months, whichever is more. As 4.3 went GA Jan 2012, that would mean Jan 2014.</P> Thu, 01 Nov 2012 23:35:22 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107985#M22694 cervelli 2012-11-01T23:35:22Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107986#M22695 <P>With a Splunk Universal Forwarder installed on most production machines already the fschange monitor is an easy-to-use approach to monitor changes of certain configuration files.<BR /> Together with "fullEvent = true" you even get a full history. To implement the same functionality with OS out-of-the-box tools like Linux inotify is not quite as handy.<BR /> If "most OS/FS pairs provide high quality" support for this, why is it so hard then to do this right in Splunk?</P> <P><STRONG>I hereby request to keep the fschange input in Splunk</STRONG> and fix open issues instead of throwing in the towel.</P> Tue, 13 Nov 2012 08:12:23 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107986#M22695 dabbank 2012-11-13T08:12:23Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107987#M22696 <P>I fully agree with dabbank!</P> Tue, 27 Nov 2012 14:48:31 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107987#M22696 dvb 2012-11-27T14:48:31Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107988#M22697 <P>Can I ask, if you've not already done so, that you log a case with Support to ensure that your request is counted in the official ER stats. I'd encourage anyone that needs this functionality to do the same.</P> Tue, 27 Nov 2012 15:30:49 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107988#M22697 ahattrell_splun 2012-11-27T15:30:49Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107989#M22698 <P>The decision has already been made as fschange is already deprecated in 5.0 -- miracles do happen and maybe Splunk will redo it and it will work as expected in a future release.</P> Fri, 25 Jan 2013 01:17:01 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107989#M22698 the_wolverine 2013-01-25T01:17:01Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107990#M22699 <P>Please note that if you want to monitor changes to file content (i.e. fullEvent = true), you can get better and more consistent results using a regular file <CODE>monitor://</CODE> rather than fschange, by setting props.conf settings <CODE>CHECK_METHOD</CODE> to <CODE>modtime</CODE> (or <CODE>entire_md5</CODE>). You should also set LINE_BREAKER to <CODE>(?!)</CODE> or <CODE>(*FAIL)</CODE>, but you need to do this for fschange as well.</P> Mon, 18 Feb 2013 16:43:51 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107990#M22699 gkanapathy 2013-02-18T16:43:51Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107991#M22700 <P>I agree that this is a usefull feature and that we should keep it.</P> Wed, 18 Sep 2013 14:18:50 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107991#M22700 fquintella 2013-09-18T14:18:50Z https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107992#M22701 <P>This might be a good forward looking solution: <A href="http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html">http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html</A></P> Tue, 24 Mar 2015 14:36:09 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-FSChange-file-system-change-monitor-a-deprecated-feature/m-p/107992#M22701 sloshburch 2015-03-24T14:36:09Z