Hi guys searched through all topics and couldn`t find anything relevant to my issue. So hope some one would help me with my question.
We use splunk cloud enterprise security. We have AWS environment mostly with Linux instances what I want to achieve is to search on splunk for any new files put in /tmp or /sbin and etc.
Was googling, searching in documentation all I can find is this document https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Data/Monitorfilesanddirectories that says that I should use CLI. But this doesn't`t make seance we use splunk cloud there is no CLI right? And I think this article is about accessing and monitoring Splunk files right?
So yee in short how to search for any new files added in to instances.
Cheers.
Before Splunk can tell you about a new file something has to tell Splunk about it. That's what the Universal Forwarder (UF) does. It monitors specified directories and uploads the contents of those directories to Splunk Cloud. Note that Splunk knows about the file because it has indexed what's in the file - that's a lot more than just knowing the file exists. It also means Splunk won't know about non-text files because it won't index those.
There is an input called fschange that monitors changes to the file system and seems to be the perfect fit here. Be aware, however, that fschange has been deprecated for a few years now and could disappear at any time.
The instructions cited about using the CLI to add a monitor is correct, but it applies to forwarders, which always run on your on-prem hardware rather than in the cloud.
I thought because we use splunk cloud there is no forwarders but collectors.
For fschange:
Note: The file system change monitor has been deprecated in Splunk Enterprise since version 5.0.
So the fschange is not an option