topic Re: issues with universal forwarder and file monitoring in Getting Data In

issues with universal forwarder and file monitoring

plastiiq — Wed, 14 Nov 2012 16:41:23 GMT

I'm trying to get the universal forwarder to monitor a particular executable. It would have been nice to do a hash compare but after all this time invested trying to get this to work, I'll settle for any monitoring and subsequent forwarding of the particular file.

The results should be forwarding to a splunk server.

Here is my inputs.conf:

[fschange://C:\myapp\myapp.exe]
pollPeriod = 60
signedaudit=false
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

The log shows the following entry:

11-14-2012 04:32:36.997 -0500 INFO PipelineComponent - Pipeline fschangemanager enabled
11-14-2012 04:32:36.997 -0500 INFO loader - Instantiated plugin: fschangemanagerprocessor
11-14-2012 04:32:36.997 -0500 WARN FSChangeMonitor - Monitoring file or directory that doesn't exist at startup time - //C:\myapp\myapp.exe

The file definitely exists and it is in the path.

does anyone have any idea where I could be going wrong?

Re: issues with universal forwarder and file monitoring

lguinn2 — Wed, 14 Nov 2012 18:16:01 GMT

There is no // in the fschange spec:

[fschange:C:\myappmyapp.exe]

will probably work better. Good thinking on checking the log (and including it in your question). Few people do that, it seems.

Re: issues with universal forwarder and file monitoring

plastiiq — Wed, 14 Nov 2012 18:33:45 GMT

Thanks for the response.

I thought of removing the // previously only then it had appeared not to work at all and there were no log entries. I uninstalled, reinstalled the forwarder deleting the old paths and files; reconfigured and now it does in fact appear to work (sans the //)

Thanks so much!!

Re: issues with universal forwarder and file monitoring

plastiiq — Wed, 14 Nov 2012 20:49:56 GMT

actually it looks like I got one single entry forwarded, and then nothing else after hours.

I do see:

11-14-2012 07:25:29.893 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:29.893 -0500 INFO PipelineComponent - Pipeline fschangemanager enabled
11-14-2012 07:25:29.893 -0500 INFO loader - Instantiated plugin: fschangemanagerprocessor
11-14-2012 07:25:30.127 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:30.127 -0500 INFO PipelineComponent - Pipeline archivePipe enabled
11-14-2012 07:25:30.127 -0500 INFO loader - Instantiated plugin: archiveprocessor
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:30.205 -0500 INFO PipelineComponent - Pipeline wineventlog enabled
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: wineventloginputprocessor
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: queueoutputprocessor

But no further mention of my file or my path.

Here is the current inputs.conf

[fschange C:\myapp\myapp.exe]
pollPeriod = 60
signedaudit=false
hashMaxSize=65535
fullEvent=true
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

Re: issues with universal forwarder and file monitoring

sowings — Wed, 14 Nov 2012 20:53:24 GMT

Did you change the file?

Re: issues with universal forwarder and file monitoring

plastiiq — Wed, 14 Nov 2012 20:53:46 GMT

just to add, the one single event it forwarded reads as follows:

Wed Nov 14 07:21:07 2012 action=add, path="\myapp\myapp.exe", isdir=0, size=1899520, gid=-1, uid=-1, modtime="Tue Oct 30 12:18:02 2012", mode="rwxrwxrwx", hash=