topic Trying to use FSChange for monitoring filesystem, getting a ton of sources and sourcetypes in Splunk Search

Trying to use FSChange for monitoring filesystem, getting a ton of sources and sourcetypes

kholleran — Wed, 27 Oct 2010 02:32:06 GMT

Hello,

I need to monitor a handful of application directories and system32 for changes. I utilized FSChange with regex's to isolate file types to monitor. I turned this on and all of a sudden I have over 100 sources and 30 sourcetypes! Is there a way to make all of these under one source and sourcetype? It appears each individual file is a different source type as opposed to a single fschange sourcetype.

Thanks for any help as there is so much its not very useful.

Thanks.

Kevin

Re: Trying to use FSChange for monitoring filesystem, getting a ton of sources and sourcetypes

kholleran — Wed, 27 Oct 2010 02:58:35 GMT

OK, I found the issue for the extra files I believe, it appears that in one of my whitelists I made a typo and forgot the opening bracket [.

So hopefully it is limiting its monitoring to just .exe, .dll, etc Is there a way to remove all those other sourcetypes and sources? Also, can all fschange related events be under a single source and sourcetype called fschange? Would I do this in transforms.conf?

Thanks.

Re: Trying to use FSChange for monitoring filesystem, getting a ton of sources and sourcetypes

kholleran — Tue, 09 Nov 2010 02:25:25 GMT

I also was pulling the whole event as I misunderstood what that did. Now I have it working and apparently there is a bug where | delete does not get rid of the source & sourcetype so I have several hundred sources and sourcetypes that I don't want...