Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

FSCHANGE recurse issue

chaben
Engager
‎05-19-2014 06:49 AM

Hello,

I want to watch .so .bin files in the /etc/security and its subfolders.

I applied a whitelist filter and a blacklist filter:

[filter:whitelist:whitelist_f]
regex1 = (.+.so$|.+.bin$)
[filter:blacklist:blacklist_f]
regex1 = .*

Paramètres du File System Change Monitor pour le dossier /etc

[fschange:/etc/security/]
recurse = true
filters = whitelist_f,blacklist_f

Result : i can see the .so and .bin on /etc/security and not in the subfolders.

I guess that fschange apply the filters on the subfolders name too.
I tried to write some regex to include some subfolders but i dont get the waited result.

example of tried regex :

regex1 = ^/etc/security/*/(.+.so$|.+.bin)$

regex1 = ^/etc/security/.../(.+.so$|.+.bin)$

regex1 = ^/etc/security/(.+.so$|.+.bin)$

Any idea is welcome,

Thanks in advance,

Chaben

Tags (3)
Reply

chaben
Engager
‎05-20-2014 01:32 AM

Thanks for your reply lukejadamec, i tried on Splunk Enterprise 6 but it doesn't work: No file added.

0 Karma
Reply

lukejadamec
Super Champion
‎05-19-2014 08:05 AM

I believe you need to make the change in the source, not the regex:

[fschange:/etc/security/...]

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...