Solved: Check for config file changes

oscargarcia · ‎02-24-2011

Hi,

I would like to check for changes to some config files on the /etc directory on a bunch of servers. I have this entry in the inputs.conf file:

[fschange:/etc/]
index=volatile
sourcetype=linux_configfile
pollPeriod = 360
sendEventMaxSize=-1
fullEvent = true
filters=systemfiles,terminal-blacklist

[filter:whitelist:systemfiles]
regex1 = passwd
regex2 = shadow
regex3 = group

[filter:blacklist:terminal-blacklist]
regex1 = .?

It is working, as any changes are logged and sent to the central splunk server. The issue is that I am getting this event only:

Thu Feb 24 17:07:40 2011 action=update, path="/etc/passwd", isdir=0, size=2338, gid=0, uid=0, modtime="Thu Feb 24 17:07:40 2011", mode="rw-r--r--", hash=, chgs="modtime "

And I would like to have the full file. I thought the "fullEvent" parameter was just for that, but it looks like it isn't.

What am I doing wrong?

Many thanks

Oscar

Ron_Naken · ‎02-24-2011

This answer should help:

http://answers.splunk.com/questions/7081/fschange-fulleventtrue-but-no-full-event

View solution in original post

Ron_Naken · ‎02-24-2011

This answer should help:

http://answers.splunk.com/questions/7081/fschange-fulleventtrue-but-no-full-event

oscargarcia · ‎02-25-2011

Um, I am still only getting the event with the nature of the change, but not the complete file, that is what I am looking for...

Check for config file changes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation