https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48951#M9291 <P>Do you mean using Splunk exclusively, or do you want to know about other products that could solve this for you?</P> Thu, 29 Nov 2012 12:08:57 GMT Ayn 2012-11-29T12:08:57Z https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48950#M9290 <P>The 5.0 release documentation states that fschange is deprecated.</P> <P>We use this extensively for configuration change detection. Does anyone know of how to get the same functionality as fschange on Linux and Windows?</P> <P>Thx</P> Thu, 29 Nov 2012 11:56:56 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48950#M9290 joonradley 2012-11-29T11:56:56Z https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48951#M9291 <P>Do you mean using Splunk exclusively, or do you want to know about other products that could solve this for you?</P> Thu, 29 Nov 2012 12:08:57 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48951#M9291 Ayn 2012-11-29T12:08:57Z https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48952#M9292 <P>For Linux, I'd guess that the <CODE>auditd</CODE> would be able to solve most things. Configuring it to be less noisy is probably an exercise. </P> <P>For Windows, I'd guess that you have to enable auditing on "object access", and set ACL's on the objects (files/directories) you wish to monitor. Exactly how to do this is a bit beyond my experience.</P> Thu, 29 Nov 2012 12:19:37 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48952#M9292 kristian_kolb 2012-11-29T12:19:37Z https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48953#M9293 <P>Any product will do at the moment.</P> Fri, 30 Nov 2012 06:08:03 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48953#M9293 joonradley 2012-11-30T06:08:03Z https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48954#M9294 <P>Can you pull in the entire configuration file with these methods?</P> Fri, 30 Nov 2012 06:08:38 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48954#M9294 joonradley 2012-11-30T06:08:38Z https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48955#M9295 <P>Not too sure about that - or rather, I'm quite certain you can't. But what you will get is WHO made the change.</P> Fri, 30 Nov 2012 07:35:20 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48955#M9295 kristian_kolb 2012-11-30T07:35:20Z https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48956#M9296 <P>Unfortunately I also need to track the changed contents as well.</P> Fri, 30 Nov 2012 10:56:25 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48956#M9296 joonradley 2012-11-30T10:56:25Z https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48957#M9297 <P>TripWire does a good job of monitoring changes. Unsure if there is a ready made app for it.</P> <P>My two cents.</P> Thu, 11 Apr 2013 11:00:33 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-deprecated-what-options-are-available/m-p/48957#M9297 miteshvohra 2013-04-11T11:00:33Z