I want to monitor /root file system of Solaris Sparc.
However, I have made below changes in inputs.conf
[monitor:///root/*]
index = os
disabled = 0
But still, I dont see /root file system visible in nix* dashboard.
Basically, I need to monitor acvities performed under /root. E.g. file creation, changes, deletion & Also hidden files modifications.
monitor://
tells Splunk to index the contents of the files as new data arrives.
You want to track the filesystem-level changes to files (deletion of files, modification times, etc.).
So do this:
[fschange:/root]
followLinks=false
pollPeriod=120
index = os
disabled = 0
This will examine the /root
directory tree every 2 minutes. A record of any file changes, deletions and additions will be added to the os
index.
Please note that although fschange
is still available in Splunk 5.0.2, the feature has been deprecated since Splunk 5.0.
Thanks... Its done
Done the changes. Still didnt see changes done under /root
Using splunk-5.0.1-143156-Linux-x86_64.tgz
Yes. Splunk run as a user with access to the /root directory.
root 24482 7.9 2.2 93832 46528 ? Sl 14:51 0:34 splunkd -p 8089 r
Sorry, one word seem to have been lost in my comment.
Does Splunk run as a user with access to the /root directory?
I have not created any user & I have got sudo access.
Does Splunk as a user with access to the /root directory?