Getting Data In

Is it possible to configure Splunk to show the filename only and not the contents of the file we're monitoring?

Engager

In the Splunk deployment we have, I'm using the Splunk universal forwarder to monitor changes to a folder, specifically when a file is added, on an sftp server. So far this is working, however it's showing not only that there has been a change, but the contents of the files in that directory. Is there a way to show the filename only and not the contents of the file, as there is sensitive information contained therein?

0 Karma

Legend

If you don't need the contents of the file, I would consider installing an auditing tool that monitors the directories of interest. Configure the auditing tool to write out the changes as they occur to some file - and then monitor the output of the auditing tool.

I think this is really where @mmodestino_Splunk is going. And while you can also write a scripted input, that can be hard: how often should your scripted input run and what should it track, etc? Ultimately, your scripted input will be duplicating the functionality of an auditing tool. And good auditing tools already exist for almost every OS.

If you need the contents of the file(s) as well, you could (1) use a monitor input to collect the file contents and place them in one index. And (2) you could also track the output of the auditing tool and place it in a different index in Splunk. So some users might be allowed to read the first index, containing the file contents - while other users are only allowed to search the second index to monitor changes to the files...

Communicator

Hi, the goal of a splunk monitor particularly is to gather the information inside a file if its changed. Depending on your usecase it might be more suitable to gather the information you need from a different source, f.e. windows event log or unix auditd for file access/change events. In addition from a a security point of you will gather more imporatend information like a user or maybe a source ip wich accessed the ftp server. Maybe something to consider for your usecase.
Greetings

Communicator

I would use a scripted input to do this. What OS is your SFTP server?

0 Karma

Splunk Employee
Splunk Employee

can you share a but more on how you have it currently set up? What exactly are you using to monitor the changes? Have you considered locking down the index that gets the file contents and serving a summary of the changes to the wider audience?

0 Karma

Splunk Employee
Splunk Employee

yeah im leaning toward audit logs like hgrow, although depending on what exactly your use case is, that can get a little crazy in terms of volume and config tuning...is this a security and compliance use case? If so then, yeah...audit logs...otherwise if ur requirements are a bit more relaxed then there things like hhGA is eluding to, where you just eat the sftp logs, which usually get you the transaction info ur looking for - maybe check /var/log/messages or like hhGA said, cronjob an ls -lah on the dir or something...but like I said, need to know more about your requirements and drivers

0 Karma

Engager

It's currently a windows sftp server that is held to HIPAA standards, but not governed under HIPAA. I think the best solution may be to monitor the sftp logs and not the directory itself, which seems to be the consensus. I'll test this out and let you know the results. Thank you!