Getting Data In

FS Change keeps adding and deleting files from monitoring

Splunk Employee
Splunk Employee

I am monitoring /etc/hosts.allow and /etc/hosts.deny for change, with a poll period of 300 seconds.

[fschange:/etc/hosts.allow]
index = fschange_main
pollPeriod = 300

[fschange:/etc/hosts.deny]
index = fschange_main
pollPeriod = 300

For some reason, every poll period (5 mins) I get 2 events for each file.... one with "action=add" and another with "action=delete"..... as I said, this keeps happening once per poll period.

Can someone tell me what is wrong? I do not have duplicate fschange stanzas for those files.

Thanks!

John

Builder

Was there ever a fix to this? Seems like a weird problem to have other files are working great

0 Karma

Splunk Employee
Splunk Employee

This is a known issue. It's unknown if / when it will be fixed since fschange is a deprecated feather.

0 Karma

Communicator

Yep, here too 😞

0 Karma

Path Finder

bump. Happening here too.

0 Karma