Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitor Who has made a change to a file

AaronMoorcroft
Communicator
‎04-17-2013 07:39 AM

Hey Guys

A simple one for someone out there im sure, I have a file on 3 servers that I currently monitor the changes to with Splunk, I have been asked to monitor the said files for the change and also the user account that makes the change, can anyone advise on how to do this ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-17-2013 07:50 AM

You'll probably need to set up the auditing functions for your OS in question. (Typically auditd for Linux and enabling the Object Access audit policy on Windows).

Splunk used to have a function for this, well it's actually still there, but it's been deprecated in version 5.x. This solution (fschangemonitor) can not however detect WHO made changes to a file.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-17-2013 07:50 AM

You'll probably need to set up the auditing functions for your OS in question. (Typically auditd for Linux and enabling the Object Access audit policy on Windows).

Splunk used to have a function for this, well it's actually still there, but it's been deprecated in version 5.x. This solution (fschangemonitor) can not however detect WHO made changes to a file.

Hope this helps,

Kristian

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-17-2013 12:59 PM

Well, I believe that there is/was an optional attribute called fullEvent (boolean), that would toggle whether splunk should index the contents of the file being audited.

If I remember correctly this did not really work all that well when I tried it last - on *nix the whole file came in as one event, and on Windows, each line of the file became a separate event (or if it was the other way round). But this was back in the 4.x days...

0 Karma
Reply
Solved! Jump to solution

necrophobic
New Member
‎10-16-2013 09:19 AM

can splunk detect which line of the file was change and what was the changes like what the diff command does?

0 Karma
Reply
Solved! Jump to solution

AaronMoorcroft
Communicator
‎04-18-2013 12:50 AM

thats a great help, thanks for your advice.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...