Getting Data In

Monitor Who has made a change to a file

AaronMoorcroft
Communicator

Hey Guys

A simple one for someone out there im sure, I have a file on 3 servers that I currently monitor the changes to with Splunk, I have been asked to monitor the said files for the change and also the user account that makes the change, can anyone advise on how to do this ?

0 Karma
1 Solution

kristian_kolb
Ultra Champion

You'll probably need to set up the auditing functions for your OS in question. (Typically auditd for Linux and enabling the Object Access audit policy on Windows).

Splunk used to have a function for this, well it's actually still there, but it's been deprecated in version 5.x. This solution (fschangemonitor) can not however detect WHO made changes to a file.

Hope this helps,

Kristian

View solution in original post

kristian_kolb
Ultra Champion

You'll probably need to set up the auditing functions for your OS in question. (Typically auditd for Linux and enabling the Object Access audit policy on Windows).

Splunk used to have a function for this, well it's actually still there, but it's been deprecated in version 5.x. This solution (fschangemonitor) can not however detect WHO made changes to a file.

Hope this helps,

Kristian

kristian_kolb
Ultra Champion

Well, I believe that there is/was an optional attribute called fullEvent (boolean), that would toggle whether splunk should index the contents of the file being audited.

If I remember correctly this did not really work all that well when I tried it last - on *nix the whole file came in as one event, and on Windows, each line of the file became a separate event (or if it was the other way round). But this was back in the 4.x days...

0 Karma

necrophobic
New Member

can splunk detect which line of the file was change and what was the changes like what the diff command does?

0 Karma

AaronMoorcroft
Communicator

thats a great help, thanks for your advice.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...