Re: FS Change keeps adding and deleting files from...

jdunlea_splunk · ‎02-15-2012

I am monitoring /etc/hosts.allow and /etc/hosts.deny for change, with a poll period of 300 seconds.

[fschange:/etc/hosts.allow]
index = fschange_main
pollPeriod = 300

[fschange:/etc/hosts.deny]
index = fschange_main
pollPeriod = 300

For some reason, every poll period (5 mins) I get 2 events for each file.... one with "action=add" and another with "action=delete"..... as I said, this keeps happening once per poll period.

Can someone tell me what is wrong? I do not have duplicate fschange stanzas for those files.

Thanks!

John

daniel333 · ‎05-10-2018

Was there ever a fix to this? Seems like a weird problem to have other files are working great

bosburn_splunk · ‎08-07-2013

This is a known issue. It's unknown if / when it will be fixed since fschange is a deprecated feather.

flo_cognosec · ‎08-07-2013

Yep, here too 😞

gavin1_davenpor · ‎01-31-2013

bump. Happening here too.

FS Change keeps adding and deleting files from monitoring

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation