Getting Data In

How to search for new files put in to folders

roberto_baggio
New Member

Hi guys searched through all topics and couldn`t find anything relevant to my issue. So hope some one would help me with my question.

We use splunk cloud enterprise security. We have AWS environment mostly with Linux instances what I want to achieve is to search on splunk for any new files put in /tmp or /sbin and etc. 

Was googling, searching in documentation all I can find is this document https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Data/Monitorfilesanddirectories that says that I should use CLI. But this doesn't`t make seance we use splunk cloud there is no CLI right? And I think this article is about accessing and monitoring Splunk files right? 

So yee in short how to search for any new files added in to instances.

 

Cheers.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Before Splunk can tell you about a new file something has to tell Splunk about it.  That's what the Universal Forwarder (UF) does.  It monitors specified directories and uploads the contents of those directories to Splunk Cloud.  Note that Splunk knows about the file because it has indexed what's in the file - that's a lot more than just knowing the file exists.  It also means Splunk won't know about non-text files because it won't index those.

There is an input called fschange that monitors changes to the file system and seems to be the perfect fit here.  Be aware, however, that fschange has been deprecated for a few years now and could disappear at any time.

The instructions cited about using the CLI to add a monitor is correct, but it applies to forwarders, which always run on your on-prem hardware rather than in the cloud.

---
If this reply helps you, Karma would be appreciated.
0 Karma

roberto_baggio
New Member

 

I thought because we use splunk cloud there is no forwarders but collectors.

For fschange:

Note: The file system change monitor has been deprecated in Splunk Enterprise since version 5.0.

So the fschange is not an option

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...