https://community.splunk.com/t5/Knowledge-Management/some-questions-about/m-p/198135#M7793 <P>Yes, at last I made the register monitoring. It is necessary to set up monitoring of file system</P> Mon, 24 Mar 2014 09:45:45 GMT vinchakov_a 2014-03-24T09:45:45Z https://community.splunk.com/t5/Knowledge-Management/some-questions-about/m-p/198132#M7790 <P>Hello, I am a beginner in splunk. I started implementing an enterprise splunk. At present from splunk I need monitoring of files, the register and logs, and some perfmon counters. But I met difficulties. I nave:<BR /> 1) FileSystem monitoring:</P> <PRE><CODE>[fschange:C:\Windows\System32] pollPeriod = 3600 index = fschange filters = ignore_logs signedaudit = false hashMaxSize = 104857600 recurse = true followLinks = false fullEvent = false sendEventMaxSize = -1 filesPerDelay = 100 delayInMills = 1000 </CODE></PRE> <P>But when I create the directory (file), or I delete, splunk doesn't report to me about it.</P> <P>2) Monitoring free space</P> <PRE><CODE>[perfmon://LocalPhysicalDisk] interval = 300 object = PhysicalDisk counters = % Free Space; Free Megabytes disabled = 0 instances = * index = perfmon </CODE></PRE> <P>It at all doesn't work.</P> <P>3) Monitoring windows registry</P> <PRE><CODE>[WinRegMon://RegistryMonitor] baseline = 0 disabled = 0 hive = \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\?.* proc = C:\\.* index = winreg type = rename|set|delete|create </CODE></PRE> <P>It at all doesn't work.</P> <P>Can you help me?</P> Mon, 24 Mar 2014 05:52:53 GMT https://community.splunk.com/t5/Knowledge-Management/some-questions-about/m-p/198132#M7790 vinchakov_a 2014-03-24T05:52:53Z https://community.splunk.com/t5/Knowledge-Management/some-questions-about/m-p/198133#M7791 <P>Hello,<BR /> On first look perfmon object is wrong. Physical Disk doesn't have those counters, Logical disk has.</P> <PRE><CODE>[perfmon://LocalPhysicalDisk] interval = 300 object = LogicalDisk counters = % Free Space; Free Megabytes disabled = 0 instances = * index = perfmon </CODE></PRE> <P>Regmon you have provided path in "proc" rather than the process name.</P> <P>Use Monitor instead of fschange which is depreciated. But you need to put more logic to find out the file creation and deletion.</P> <P>More details you can refer this:</P> <PRE><CODE><A href="http://docs.splunk.com/Documentation/Splunk/6.0.2/admin/inputsconf" target="test_blank">http://docs.splunk.com/Documentation/Splunk/6.0.2/admin/inputsconf</A> </CODE></PRE> <P>Thanks</P> Mon, 24 Mar 2014 07:21:52 GMT https://community.splunk.com/t5/Knowledge-Management/some-questions-about/m-p/198133#M7791 linu1988 2014-03-24T07:21:52Z https://community.splunk.com/t5/Knowledge-Management/some-questions-about/m-p/198134#M7792 <P>Thanks, the first issue is resolved. I read input.conf, but didn't find specific examples about registry and monitoring of file system with a hash with monitor</P> Mon, 24 Mar 2014 07:46:30 GMT https://community.splunk.com/t5/Knowledge-Management/some-questions-about/m-p/198134#M7792 vinchakov_a 2014-03-24T07:46:30Z https://community.splunk.com/t5/Knowledge-Management/some-questions-about/m-p/198135#M7793 <P>Yes, at last I made the register monitoring. It is necessary to set up monitoring of file system</P> Mon, 24 Mar 2014 09:45:45 GMT https://community.splunk.com/t5/Knowledge-Management/some-questions-about/m-p/198135#M7793 vinchakov_a 2014-03-24T09:45:45Z