Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

FSCHANGE recurse issue

chaben
Engager
‎05-19-2014 06:49 AM

Hello,

I want to watch .so .bin files in the /etc/security and its subfolders.

I applied a whitelist filter and a blacklist filter:

[filter:whitelist:whitelist_f]
regex1 = (.+.so$|.+.bin$)
[filter:blacklist:blacklist_f]
regex1 = .*

Paramètres du File System Change Monitor pour le dossier /etc

[fschange:/etc/security/]
recurse = true
filters = whitelist_f,blacklist_f

Result : i can see the .so and .bin on /etc/security and not in the subfolders.

I guess that fschange apply the filters on the subfolders name too.
I tried to write some regex to include some subfolders but i dont get the waited result.

example of tried regex :

regex1 = ^/etc/security/*/(.+.so$|.+.bin)$

regex1 = ^/etc/security/.../(.+.so$|.+.bin)$

regex1 = ^/etc/security/(.+.so$|.+.bin)$

Any idea is welcome,

Thanks in advance,

Chaben

Tags (3)
Reply

chaben
Engager
‎05-20-2014 01:32 AM

Thanks for your reply lukejadamec, i tried on Splunk Enterprise 6 but it doesn't work: No file added.

0 Karma
Reply

lukejadamec
Super Champion
‎05-19-2014 08:05 AM

I believe you need to make the change in the source, not the regex:

[fschange:/etc/security/...]

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...