Solved: How to monitor changes made to the inputs.conf fil...

AKG1_old1 · ‎09-07-2016

Hello,

We update the inputs.conf file periodically. I want to keep track of changes made in the inputs.conf file.

Any suggestion, how we can upload the file to Splunk whenever changes are made in inputs.conf?

Regards,
Ankit

lukejadamec · ‎09-07-2016

You can dig into Splunk configs to monitor for input.conf changes. Keep in mind, that inputs.conf can change in any Splunk subdirectory, so don't focus on one single inputs.conf file - towit, search Splunk_Home for inputs.conf and you will get many file hits. Changes to any inputs.conf file will likely give you new inputs.

If you only monitor the main Splunk instance, then you might miss changes to forwarder inputs.conf files (a bit rusty on forwarding).

To monitor all changes to all inputs.conf files on your local Splunk system such that every change will have a new _time (time stamp) you can add the following text to your inputs.conf and props.conf files:

In an inputs.conf file:

[monitor://$SPLUNK_HOME\etc\...\inputs.conf]
disable = false
sourcetype = Inputs_conf

In the corresponding props.conf file:

[Inputs_conf]
DATETIME_CONFIG=CURRENT

To see changes to any inputs.conf file, simply run a search on sourcetype=Inputs_conf for the time frame you're interested in. The Source will point you to the inputs.conf file path, and the Event will show you the change.

View solution in original post

lukejadamec · ‎09-07-2016

You can dig into Splunk configs to monitor for input.conf changes. Keep in mind, that inputs.conf can change in any Splunk subdirectory, so don't focus on one single inputs.conf file - towit, search Splunk_Home for inputs.conf and you will get many file hits. Changes to any inputs.conf file will likely give you new inputs.

If you only monitor the main Splunk instance, then you might miss changes to forwarder inputs.conf files (a bit rusty on forwarding).

To monitor all changes to all inputs.conf files on your local Splunk system such that every change will have a new _time (time stamp) you can add the following text to your inputs.conf and props.conf files:

In an inputs.conf file:

[monitor://$SPLUNK_HOME\etc\...\inputs.conf]
disable = false
sourcetype = Inputs_conf

In the corresponding props.conf file:

[Inputs_conf]
DATETIME_CONFIG=CURRENT

To see changes to any inputs.conf file, simply run a search on sourcetype=Inputs_conf for the time frame you're interested in. The Source will point you to the inputs.conf file path, and the Event will show you the change.

somesoni2 · ‎09-07-2016

Do you monitor inputs.conf directly on the server? Do you restart the splunk service after each change? You could just include something like this in your inputs.conf

[monitor://$SPLUNK_HOME/etc/apps/YourInputAppName/local/inputs.conf]
index= putSomeIndex
sourcetype = putSomeSourcetype
crcSalt = <SOURCE>

s2_splunk · ‎09-07-2016

Aside from monitoring the files themselves (which is not a bad thing at all), my best practice recommendation would be to manage all your Splunk configuration files in a source control system, similar to what you would do with other code. This allows you to track changes and rollback to previous versions easily. When combined with using deployment server (or another distributed config management tool), this can enable a solid configuration lifecycle management process.

jconger · ‎09-07-2016

You can use fschange in inputs.conf. Details here -> http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Monitorchangestoyourfilesystem

vsingla1 · ‎11-25-2016

@jconger-- The link you provided has a disclaimer at the top: This feature has been deprecated as of Splunk Enterprise version 5.0. This means that although it continues to function in version 6.x of Splunk software, it might be removed in a future version.

How to monitor changes made to the inputs.conf file?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies