Can I monitor change on a remote file share direct...

samlinsongguo · ‎10-26-2017

I am trying to monitor the change on a remote file share directory. I want to know when the file changed, who made the change if posside (uid is fine.) I have following config put in inputs.conf file:

[fschange://\\servername\E$\Monitor\]
index=sservice
pollPeriod=60
fullEvent=ture
sourcetype=MonitorDir

in Splunkd log I got following error message

`10-27-2017 16:39:22.643 +1100 WARN  FSChangeMonitor - Monitoring file or directory that doesn't exist at startup time - //\\scabby\E$\Monitor

Any suggestion what is going on there?
Thanks

paulbannister · ‎01-31-2019

Unsure if this is still required or unanswered by try this as it worked for us, patience may be need if the directory is large and a full restart of the UF if you're using one:

[fschange:\servername\E$\Monitor]
index=sservice
sourcetype=MonitorDir
fullEvent=true
pollPeriod=60
recurse=true
sendEventMaxSize=100000
signedaudit=false
disabled=0

DalJeanis · ‎10-30-2017

The first thing I would do is check the spelling of the actual full route to the file. The character sequence //\\ looks suspicious to me, and I also wonder if E$ is intended to be literal.

Can I monitor change on a remote file share directory?

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)