Hi everyone, first post here. Hopefully I'm in the right location.
Recently installed the File/Directory Information Input add-on to try capturing file creation/modified timestamps and permissions. Attempting local inputs from a Splunk Enterprise server and UF (both Windows), but each it will not capture the file owner or ace permissions. Not seeing any errors in file_meta_data_modular_input.log. Python 2.7 installed on each instance. This is all I get:
is_directory=1 file_count=3 directory_count=0 path=C:\test atime="Tue Oct 6 16:31:22 2020" atime_epoch=1602016282.55 ctime="Tue Oct 6 16:31:18 2020" ctime_epoch=1602016278.12 dev=0 gid=0 ino=0 mode=16895 mtime="Tue Oct 6 16:31:22 2020" mtime_epoch=1602016282.55 nlink=0 size=4096 uid=0 time="Wed Oct 07 07:23:26 2020"
inputs.conf
[file_meta_data://default]
file_path = C:\test
interval = 15m
recurse = 1
only_if_changed = 0
include_file_hash = 0
file_hash_limit = 500MB
sourcetype = net:shares
index = test
Any thoughts on how to troubleshoot this? @LukeMurphey
Thanks
May I assume this is on Linux?
This is on Windows.
Ah ok. Let me test this again on Windows. Permission data is kinda complicated on Windows. The app has separate sub-routines to get the permission info because Windows often doesn't return this data if the script doesn't have the necessary permissions to get them (especially if it is on a CIFS/SMB share where things get even weirder).
Do you happen to know if it returns the permission data on files?
Not sure whether it can grab the permissions. How could I test that? I tried running the script manually to see if it would print to screen, but get nothing... no errors either...
more info about my environment
Splunk Version 7.3.3
File/Directory Information Input version 1.4.5