Hey Guys
A simple one for someone out there im sure, I have a file on 3 servers that I currently monitor the changes to with Splunk, I have been asked to monitor the said files for the change and also the user account that makes the change, can anyone advise on how to do this ?
You'll probably need to set up the auditing functions for your OS in question. (Typically auditd
for Linux and enabling the Object Access
audit policy on Windows).
Splunk used to have a function for this, well it's actually still there, but it's been deprecated in version 5.x. This solution (fschangemonitor) can not however detect WHO made changes to a file.
Hope this helps,
Kristian
You'll probably need to set up the auditing functions for your OS in question. (Typically auditd
for Linux and enabling the Object Access
audit policy on Windows).
Splunk used to have a function for this, well it's actually still there, but it's been deprecated in version 5.x. This solution (fschangemonitor) can not however detect WHO made changes to a file.
Hope this helps,
Kristian
Well, I believe that there is/was an optional attribute called fullEvent
(boolean), that would toggle whether splunk should index the contents of the file being audited.
If I remember correctly this did not really work all that well when I tried it last - on *
nix the whole file came in as one event, and on Windows, each line of the file became a separate event (or if it was the other way round). But this was back in the 4.x days...
can splunk detect which line of the file was change and what was the changes like what the diff command does?
thats a great help, thanks for your advice.