Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- How to monitor /root of Solaris
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to monitor /root of Solaris
I want to monitor /root file system of Solaris Sparc.
However, I have made below changes in inputs.conf
[monitor:///root/*]
index = os
disabled = 0
But still, I dont see /root file system visible in nix* dashboard.
Basically, I need to monitor acvities performed under /root. E.g. file creation, changes, deletion & Also hidden files modifications.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
monitor:// tells Splunk to index the contents of the files as new data arrives.
You want to track the filesystem-level changes to files (deletion of files, modification times, etc.).
So do this:
[fschange:/root]
followLinks=false
pollPeriod=120
index = os
disabled = 0
This will examine the /root directory tree every 2 minutes. A record of any file changes, deletions and additions will be added to the os index.
Please note that although fschange is still available in Splunk 5.0.2, the feature has been deprecated since Splunk 5.0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks... Its done
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Done the changes. Still didnt see changes done under /root
Using splunk-5.0.1-143156-Linux-x86_64.tgz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Splunk run as a user with access to the /root directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
root 24482 7.9 2.2 93832 46528 ? Sl 14:51 0:34 splunkd -p 8089 r
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, one word seem to have been lost in my comment.
Does Splunk run as a user with access to the /root directory?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have not created any user & I have got sudo access.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does Splunk as a user with access to the /root directory?
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
