https://community.splunk.com/t5/Getting-Data-In/Logging-tripwire-reports/m-p/26605#M4406 <P>In my setup, I have two machines running Ubuntu Linux. On one, I have Splunk and the other I have running the universal forwarder. Both seem to be working. On the remote box, I run an IDS called Tripwire that stores its logs in a directory /var/lib/tripwire/report. Each report is a separate file in the dir. I added the directory using "add monitor" in the universal forwarder. What I assumed would happen is that newly added files would be logged in Splunk. When I run a tripwire check, the file is created. In Splunk, the only record is that /var/log/messages is updated with a short entry saying that tripwire has been run and the name/timestamp of the newly created file. This is not good enough, as I want to be able to see the entire report from the Splunk server and be able to search those contents (to trigger alerts). Is my understanding of what directory monitoring is Splunk does completely off? I assumed it to send a notification of any additions/changes to files in the monitored directories. Or is my implementation incorrect?</P> <P>I also tried another method; since the logging of /var/log/messages worked, I created a /var/trip/tripwire/log where each tripwire report would be appended to. I added that with "add monitor" command, but this hasn't done anything either. </P> Tue, 06 Aug 2013 20:33:56 GMT Ekrell 2013-08-06T20:33:56Z https://community.splunk.com/t5/Getting-Data-In/Logging-tripwire-reports/m-p/26605#M4406 <P>In my setup, I have two machines running Ubuntu Linux. On one, I have Splunk and the other I have running the universal forwarder. Both seem to be working. On the remote box, I run an IDS called Tripwire that stores its logs in a directory /var/lib/tripwire/report. Each report is a separate file in the dir. I added the directory using "add monitor" in the universal forwarder. What I assumed would happen is that newly added files would be logged in Splunk. When I run a tripwire check, the file is created. In Splunk, the only record is that /var/log/messages is updated with a short entry saying that tripwire has been run and the name/timestamp of the newly created file. This is not good enough, as I want to be able to see the entire report from the Splunk server and be able to search those contents (to trigger alerts). Is my understanding of what directory monitoring is Splunk does completely off? I assumed it to send a notification of any additions/changes to files in the monitored directories. Or is my implementation incorrect?</P> <P>I also tried another method; since the logging of /var/log/messages worked, I created a /var/trip/tripwire/log where each tripwire report would be appended to. I added that with "add monitor" command, but this hasn't done anything either. </P> Tue, 06 Aug 2013 20:33:56 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-tripwire-reports/m-p/26605#M4406 Ekrell 2013-08-06T20:33:56Z https://community.splunk.com/t5/Getting-Data-In/Logging-tripwire-reports/m-p/26606#M4407 <P>Your understanding about how file/directory monitor inputs sounds correct to me. When you add a file or directory to be monitored, Splunk will pick up data in that file (or in the case of a directory, any files in that directory or its subdirectories).</P> <P>If you're not seeing data from files you've added to be monitored, something is wrong. Could be a permissions issue, could be that the data is really coming in but timestamps are recognized incorrectly so you're just missing it by searching the "wrong" time period. Two things that are very good for troubleshooting inputs:<BR /> - Check splunkd.log (in <CODE>$SPLUNK_HOME/var/log/splunk</CODE>) for errors related to the input.<BR /> - Run this script that shows the status of all inputs on the monitoring Splunk instance in question: <A href="http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/">http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/</A></P> Tue, 06 Aug 2013 21:05:07 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-tripwire-reports/m-p/26606#M4407 Ayn 2013-08-06T21:05:07Z https://community.splunk.com/t5/Getting-Data-In/Logging-tripwire-reports/m-p/26607#M4408 <P>Have you looked at using Tripwire Enterprise?</P> Tue, 22 Jul 2014 16:28:46 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-tripwire-reports/m-p/26607#M4408 JimWachhaus 2014-07-22T16:28:46Z