This is an old thread but in case somebody stumples across this.
You don't want to use fschange and there are good reasons splunk discourages the use of fschange now.
Either use Tripwire or other FIM solutions or try to figure out how to do it with se-linux 😉

From consulting people I hear about Tripwire providing FIM and sending it to Splunk. Don't see Splunk used as the FIM provider - Splunk is better at other things, not FIM.

Dear servebase - my company is actually the very first Splunk reseller - something we are very proud of and are very familiar with PCI-DSS 2.0 We have a comprehensive FIM function as part of our Reliant Security Splunk app that leverages a scheduled SSH stream that can be direected and configured centrally to monitor any file ot folder path. or more information please contact me directly at pstead@reliantsecurity.com

Sincerely,

Phil

www.reliantsecurity.com

Hi servebase - Hopefully someone who actually uses it in this capacity will answer. In the meantime, I'll point out generally that we have lots of customers using our Universal Forwarder, which includes an FSChange monitor, to meet PCI requirement 11.5 (and possibly 10.5.5 depending on your environment). Our PCI Compliance solution (http://www.splunk.com/view/pci-compliance/SP-CAAACPS) includes built-in reports to use this information or consume data from Tripwire or other FIM solutions.

If you want more information on FSChange, check this out:

• http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/FSChangelocal
• http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorchangestoyourfilesystem

Regards,
Jim