as you can see I'm new to splunk and I need some tips to find a solution for my problem.
I have to monitor different directory's on our windows file server for file access/modification/deletion.
First I checked out the fschange oportunity of splunk. At the beginning everything looks fine but then I saw that no user information are included. So fschange isn't the right solution for my problem.
Then I looked at the answers page on splunk web but I could not find any help.
I know that the eventcodes 560,564,567 the right eventcode are but I have no idea how to create a search query to find out the user who delete/access/edit a file.
Could anybody tell me if it's possible to find out with splunk the user who delete/access/edit a file?
If it's possible can anybody give me some tips?
I have created the following search query but it seems that the result isn't correct.
host="srvXXX" EventCode=562 OR EventCode=560 OR EventCode=564 OR EventCode=567 NOT (User=*Batchuser* OR User=*SYSTEM*) | transaction Handle_ID | stats values(Object_Name) AS Object by User
Try using fschange again, using search "source=fschange". I set it up and tested it and I get uid, gid, etc. This was on my Mac, but the same info should work on Windows too. Here is my result of me creating a file in /etc called touch.cfg.
Tue Dec 20 08:16:28 2011 action=update, path="/etc/touch.cfg", isdir=0, size=90, gid=0, uid=502, modtime="Tue Dec 20 08:16:08 2011", mode="rw-r--r--", hash=, chgs="mod time "
inputs.conf (Using Whitelist and Blacklist)
regex1 = touch.cfg
regex1 = .?
recurse = true
pollPeriod = 60
followLinks = false
signedaudit = false
fullEvent = true
filters = configs,else
thanks for your answer.
Next week i will test it and come back to you.
But i have read in the documentation that only on unix the fschange tool will display the user information.
By the way I have created the following query.
source="WMI:WinEventLog:Security" EventCode=560 OR EventCode=562 OR EventCode=567 NOT User="NT AUTHORITY\\SYSTEM" | transaction Handle_ID Prozess_ID | stats values(Object_Name) AS Object by User
With this query i got to many files in my output. I think I have to use the transaction parameter like maxspan or maxevents to specialized the output. It seems that there are more HandleID's and ProzessID's with the same values.
You can use startswith and endswith on your transaction to ensure the transactions get closed:
| transaction Handle_ID Process_ID startswith="EventCode=560" endswith="EventCode=562" |
see also the docs on transaction
I checked the parameters startswith and endswith but I have the problem, that this only works if an event starts with eventid 560 and ends with id 562. But if between this two events are many events with 567 it seems that this doesn't work.
I will check this on monday morning and come back to you.