Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

FS Change keeps adding and deleting files from monitoring

jdunlea_splunk
Splunk Employee
Splunk Employee
‎02-15-2012 01:31 PM

I am monitoring /etc/hosts.allow and /etc/hosts.deny for change, with a poll period of 300 seconds.

[fschange:/etc/hosts.allow]
index = fschange_main
pollPeriod = 300

[fschange:/etc/hosts.deny]
index = fschange_main
pollPeriod = 300

For some reason, every poll period (5 mins) I get 2 events for each file.... one with "action=add" and another with "action=delete"..... as I said, this keeps happening once per poll period.

Can someone tell me what is wrong? I do not have duplicate fschange stanzas for those files.

Thanks!

John

Reply

daniel333
Builder
‎05-10-2018 03:16 PM

Was there ever a fix to this? Seems like a weird problem to have other files are working great

0 Karma
Reply

bosburn_splunk
Splunk Employee
Splunk Employee
‎08-07-2013 03:32 PM

This is a known issue. It's unknown if / when it will be fixed since fschange is a deprecated feather.

0 Karma
Reply

flo_cognosec
Communicator
‎08-07-2013 08:43 AM

Yep, here too 😞

0 Karma
Reply

gavin1_davenpor
Path Finder
‎01-31-2013 08:52 AM

bump. Happening here too.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top