SplunkLightForwarder + nix app + fschange, can this work?
From what i read, when enabling the light forwarder it disables the fschange module.
In my scenario, having to use the full forwarder to get those above 2 things seems rather overkill.
I don't know why people keep saying that enabling the light forwarder disables fschange. It does not. (If you wouldn't mind linking to where you read that, I will have it corrected.)
I don't know why people keep saying that enabling the light forwarder disables fschange. It does not. (If you wouldn't mind linking to where you read that, I will have it corrected.)
It sounds as if there is a bug with light forwarder and fschange. From Known Issues at http://www.splunk.com/base/Documentation/latest/ReleaseNotes/Knownissues : When configuring file system change monitor (fschange) on a forwarder, if signedaudit = true and index=_audit are not explicitly set, fschange events do not get forwarded. (SPL-25294) Also in Answers http://answers.splunk.com/questions/2882/using-fschange-to-monitor-windows-filesystem
looks like i was referencing non official documenation on the limitations of the light forwarder, it looks like splunk 3.x had this limitation based on: http://www.splunk.com/base/index.php?title=Documentation:Tmp:EnableTheSplunkForwarderOrLightForwarde...
and id also seen it mentioned on numerous forum/wikis