https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148224#M185369 <P>Hi Ayn</P> <P>I am not seeing fschange is deprecated in latest version 6.2 <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/inputsconf">http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/inputsconf</A></P> <P>please correct me If I am wrong...</P> Wed, 10 Dec 2014 08:12:43 GMT kml_uvce 2014-12-10T08:12:43Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148221#M185366 <P>Hi All,</P> <P>I am new to Splunk and need to complete the below use case</P> <P>Files in a linux directory are regularly archived to different directory. File deletion in this directory needs to be monitored.</P> <P>Example directory: user/data/files on a Linux machine<BR /> Splunk ver:6.1</P> Wed, 10 Dec 2014 06:20:08 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148221#M185366 ajeeshneelamkav 2014-12-10T06:20:08Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148222#M185367 <P>use this in inputs.conf<BR /> [fschange:&lt;path&gt;]</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/inputsconf">http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/inputsconf</A></P> Wed, 10 Dec 2014 07:08:52 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148222#M185367 kml_uvce 2014-12-10T07:08:52Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148223#M185368 <P>fschange is deprecated. Recommended option is to use each OS's native mechanisms for auditing filesystem activity, like auditd in Linux.</P> Wed, 10 Dec 2014 08:00:43 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148223#M185368 Ayn 2014-12-10T08:00:43Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148224#M185369 <P>Hi Ayn</P> <P>I am not seeing fschange is deprecated in latest version 6.2 <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/inputsconf">http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/inputsconf</A></P> <P>please correct me If I am wrong...</P> Wed, 10 Dec 2014 08:12:43 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148224#M185369 kml_uvce 2014-12-10T08:12:43Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148225#M185370 <P>I have done it, how can retrieve this particular change using search query to create an alert ?</P> Wed, 10 Dec 2014 10:38:48 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148225#M185370 ajeeshneelamkav 2014-12-10T10:38:48Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148226#M185371 <P>if a folder deletes from Linux or files deleted from a Linux folder, will be there any specific keyword?</P> Wed, 10 Dec 2014 10:59:33 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148226#M185371 ajeeshneelamkav 2014-12-10T10:59:33Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148227#M185372 <P>how you done it , by using fschange /?<BR /> see keywords related to you deletion event and write search :</P> <P>index=&lt;indexname&gt; "keywords" and then go to save as-&gt; alert</P> Wed, 10 Dec 2014 11:00:20 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148227#M185372 kml_uvce 2014-12-10T11:00:20Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148228#M185373 <P>see in your events or send any event...</P> Wed, 10 Dec 2014 11:12:38 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148228#M185373 kml_uvce 2014-12-10T11:12:38Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148229#M185374 <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/releasenotes/Deprecatedfeatures">http://docs.splunk.com/Documentation/Splunk/6.2.0/releasenotes/Deprecatedfeatures</A></P> Wed, 10 Dec 2014 12:02:04 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148229#M185374 Ayn 2014-12-10T12:02:04Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148230#M185375 <P>hmmm, usually splunk gives any deprecated features in conf files also, but they have not given in inputs.conf for fschange, they need to change the doc for inputs.conf... </P> Wed, 10 Dec 2014 12:11:50 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148230#M185375 kml_uvce 2014-12-10T12:11:50Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148231#M185376 <P>No, "deprecated" does not mean "removed". The functionality is still there, but is due for removal, and the recommendation is to explore other options instead.</P> Wed, 10 Dec 2014 13:26:48 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148231#M185376 Ayn 2014-12-10T13:26:48Z https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148232#M185377 <P>yeah i am saying that splunk always mentioned that features is deprecated in conf files doc also but here splunk has not mentioned</P> Wed, 10 Dec 2014 13:36:10 GMT https://community.splunk.com/t5/Splunk-Search/Unathorized-Linux-folder-deletion/m-p/148232#M185377 kml_uvce 2014-12-10T13:36:10Z