I'm a beginner Splunk user and I'm trying to use Splunk to monitor a nfs directory for new files and running a (python) script when a new file is added to the monitoring directory.
I am using the following fs stanza which seem to work but not sure how to run the script when a new file is created in that directory:
poll every 10 minutes
pollPeriod = 600
generate audit events into the audit index instead of fschange events
Thanks for the comment!
Indeed, inotify was my first option but the problems is that I don't have access to the NFS server and, as you mentioned, inotify will not trigger an event on a remote machine as this is a kernel feature.
Since we are already using Splunk, I thought this could help us with this issue. I've read that fschange monitors have been deprecated and now is recommended to use an auditd module in order to watch for these events but we're trying to come up with the simplest solution for this problem.
Did you have any success with an NFS file monitoring solution using inotify or something similar?
Second: Splunk is more about recording events, extracting information and correlating them. If you had something producing events into Splunk (like the fschange monitor) and you had a scheduled search on your search head, you could kick off custom alert action to execute your script from the search head, but that may not be what you're looking to do.
I am not as familiar as I should be with all the ins and outs of Phantom yet, however based on signals, they too can invoke playbook actions to automate tasks, but I'm not exactly sure of the mechanics there.