Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

File system changes (not log monitoring)

tyronetv
Communicator
‎06-04-2014 08:14 AM

Have an environment where a directory is used to 'stage' files waiting for an update. Essentially, a file is sent to a vendor and a local status file (of zero or more bytes) is placed in a 'pending' directory. Once the vendor has completed their work and a good return is received the local status file is moved to the 'done' directory. (This is done so a second process can use the listing to determine what status file to check for on it's run).

What I want to do is monitor the '/pending' directory for new files only being worried about WHEN they showed up. Then, if they haven't 'moved' in a predetermined amount of time (depending upon environment this could be two - eight hours) raise an alert. This would also allow me to say "_time seen" and "_time gone" to build some metrics on vendor performance.

All that being said, I am having issues getting it set up to forward from my linux universal forwarder. My inputs.conf stanza looks like:

[fschange:/path/to/dir/]

signedaudit = false

index=_audit

I read that in one of the previous 'answers' questions. Unfortunately, I am seeing no records in _audit or _internal for that host using the search head.

Ideas?

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎06-04-2014 08:31 AM

You should not be putting data in _audit, that is an internal index for Splunk to index its own events. I know that there is some stuff in the documentation that talks about this index, but unless you have already done all the other auditing setup, it isn't going to work.

Create a new index - you could call it audit and send data to that index instead.

[fschange:/path/to/dir/]
index=audit

Also, this feature is deprecated: Monitor changes to your filesystem

You can still use it, but it might go away.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...