Getting Data In
Highlighted

FSCHANGE recurse issue

Engager

Hello,

I want to watch .so .bin files in the /etc/security and its subfolders.

I applied a whitelist filter and a blacklist filter:

[filter:whitelist:whitelistf]
regex1 = (.+.so$|.+.bin$)
[filter:blacklist:blacklist
f]
regex1 = .*

Paramètres du File System Change Monitor pour le dossier /etc

[fschange:/etc/security/]
recurse = true
filters = whitelistf,blacklistf

Result : i can see the .so and .bin on /etc/security and not in the subfolders.

I guess that fschange apply the filters on the subfolders name too.
I tried to write some regex to include some subfolders but i dont get the waited result.

example of tried regex :

regex1 = ^/etc/security/*/(.+.so$|.+.bin)$

regex1 = ^/etc/security/.../(.+.so$|.+.bin)$

regex1 = ^/etc/security/(.+.so$|.+.bin)$

Any idea is welcome,

Thanks in advance,

Chaben

Tags (3)
Highlighted

Re: FSCHANGE recurse issue

Super Champion

I believe you need to make the change in the source, not the regex:

[fschange:/etc/security/...]

0 Karma
Highlighted

Re: FSCHANGE recurse issue

Engager

Thanks for your reply lukejadamec, i tried on Splunk Enterprise 6 but it doesn't work: No file added.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.