Solved: Re: Check for config file changes

oscargarcia · ‎02-24-2011

Hi,

I would like to check for changes to some config files on the /etc directory on a bunch of servers. I have this entry in the inputs.conf file:

[fschange:/etc/]
index=volatile
sourcetype=linux_configfile
pollPeriod = 360
sendEventMaxSize=-1
fullEvent = true
filters=systemfiles,terminal-blacklist

[filter:whitelist:systemfiles]
regex1 = passwd
regex2 = shadow
regex3 = group

[filter:blacklist:terminal-blacklist]
regex1 = .?

It is working, as any changes are logged and sent to the central splunk server. The issue is that I am getting this event only:

Thu Feb 24 17:07:40 2011 action=update, path="/etc/passwd", isdir=0, size=2338, gid=0, uid=0, modtime="Thu Feb 24 17:07:40 2011", mode="rw-r--r--", hash=, chgs="modtime "

And I would like to have the full file. I thought the "fullEvent" parameter was just for that, but it looks like it isn't.

What am I doing wrong?

Many thanks

Oscar

Ron_Naken · ‎02-24-2011

This answer should help:

http://answers.splunk.com/questions/7081/fschange-fulleventtrue-but-no-full-event

View solution in original post

Ron_Naken · ‎02-24-2011

This answer should help:

http://answers.splunk.com/questions/7081/fschange-fulleventtrue-but-no-full-event

oscargarcia · ‎02-25-2011

Um, I am still only getting the event with the nature of the change, but not the complete file, that is what I am looking for...

Check for config file changes

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Check for config file changes

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience