All Apps and Add-ons

SplunkLightForwarder + nix app + fschange, can this work?

bbeveridge
Engager

SplunkLightForwarder + nix app + fschange, can this work?

From what i read, when enabling the light forwarder it disables the fschange module.

In my scenario, having to use the full forwarder to get those above 2 things seems rather overkill.

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

I don't know why people keep saying that enabling the light forwarder disables fschange. It does not. (If you wouldn't mind linking to where you read that, I will have it corrected.)

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

I don't know why people keep saying that enabling the light forwarder disables fschange. It does not. (If you wouldn't mind linking to where you read that, I will have it corrected.)

Jason
Motivator

It sounds as if there is a bug with light forwarder and fschange. From Known Issues at http://www.splunk.com/base/Documentation/latest/ReleaseNotes/Knownissues : When configuring file system change monitor (fschange) on a forwarder, if signedaudit = true and index=_audit are not explicitly set, fschange events do not get forwarded. (SPL-25294) Also in Answers http://answers.splunk.com/questions/2882/using-fschange-to-monitor-windows-filesystem

0 Karma

bbeveridge
Engager

looks like i was referencing non official documenation on the limitations of the light forwarder, it looks like splunk 3.x had this limitation based on: http://www.splunk.com/base/index.php?title=Documentation:Tmp:EnableTheSplunkForwarderOrLightForwarde...

and id also seen it mentioned on numerous forum/wikis

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...