Getting Data In

How can we monitor changes to inputs.conf file on our universal forwarders?

Path Finder

Using Splunk Enterprise 6.2.2
The Problem: No data ingested.
We have several deployed APPs and would like to monitor changes to inputs.conf file on our universal forwarders. We have created a new app called confMonitor. It's input file is shown below.

[monitor://C:\Program Files\splunkuniversalforwarder\etc\apps\windows\local\inputs.conf]

disabled = false

sourcetype = syslog
index = testdata

There are three APPS on this universal forwarder; confMonitor, windows and sendtoindexer; only the later two function.

The splunkd.log file shows the following; no other messages exist about this APP or inputs file.
08-XX-20XX 10:23:56.277 -0400 INFO TailingProcessor - Adding watch on path: C:\Program Files\splunkuniversalforwarder\etc\apps\windows\local\inputs.conf.

sourcetype=syslog is a valid sourcetype; index=testdata is a valid index. We tried using crcSalt = ; we've tried csv as a sourcetype. We have stopped/started the universal forwarder in order to re-read the APPS on the universal forwarder. We do not use a deployment server. It looks like fschange from previous versions of Splunk may have worked, but I think it's been deprecated. Help is appreciated.

1 Solution

Esteemed Legend

This is TOTALLY the wrong way to go about it because monitor is a tail -f thing and you need a fschange + diff thing. But there is an app for that: Configurations Analytics App for Splunk:

https://splunkbase.splunk.com/app/3295/

View solution in original post

0 Karma

Esteemed Legend

This is TOTALLY the wrong way to go about it because monitor is a tail -f thing and you need a fschange + diff thing. But there is an app for that: Configurations Analytics App for Splunk:

https://splunkbase.splunk.com/app/3295/

View solution in original post

0 Karma

Path Finder

Thank you for the information. Works great!

Esteemed Legend

Let's get the author to comment and then you can UpVote his comment and get him some Thank-You Karma since you like his app. He is a GREAT GUY: Hey @landen99 where are you and what are you up to lately? We've got some app-love happening here!

0 Karma

Motivator

I am in Houston getting ready for Hurricane Harvey to come in Friday through Monday. I would like to improve that app and even create a Cloud version, but I just can't find the time yet. All development help on the app is welcome. It still needs more extractions and dashboards.