Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitor empty files?

ftk
Motivator
‎04-16-2013 07:43 AM

I have a business need to monitor 0 kb files. I can get this to work using fschange, however with fschange being deprecated in 5.x this is not a viable option. I would prefer using monitor rather than a script, and only want to index new files, with the system time being used as timestamp (DATETIME_CONFIG=CURRENT).

Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎07-23-2013 02:07 PM

If you don't want to use a script or a modular input then Windows Security Auditing. You will have to monitor the Security Event Logs. The Windows Security Event logs can be really noisy, so you might have to build some transforms to filter data.

  1. On your windows Server right click folder/directory. Select Properties
  2. Click Security Tab. Click Advanced.
  3. Click Auditing Tab. Click Edit
  4. Click Add...
  5. For Object Name enter: EVERYONE. Click Check Name. Click OK
  6. Managing audit Windows will appear. Check Successful and Failed for the following accesses: Create Files/ Write data; Create folders / append data; Delete subfolders and files; delete

This should give you what you need. Though its been a while so you going to have dig up the EventID corresponding to the create/append/delte of a file. Think it might be 560, 4616. Also you may need to turn on Audit object access through Local Group Policy.

Additional info:

Hope this helps or gets you started. If you have additional question I'll try to help.

View solution in original post

Reply
Solved! Jump to solution

ben_leung
Builder
‎09-09-2014 08:28 PM

I have the same situation where we have to monitor files that are 0kb. The forwarder hangs during this time and creates a lag time for any other files to be monitored. This is in a linux base OS. How would you resolve the hang time?

0 Karma
Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎07-23-2013 02:07 PM

If you don't want to use a script or a modular input then Windows Security Auditing. You will have to monitor the Security Event Logs. The Windows Security Event logs can be really noisy, so you might have to build some transforms to filter data.

  1. On your windows Server right click folder/directory. Select Properties
  2. Click Security Tab. Click Advanced.
  3. Click Auditing Tab. Click Edit
  4. Click Add...
  5. For Object Name enter: EVERYONE. Click Check Name. Click OK
  6. Managing audit Windows will appear. Check Successful and Failed for the following accesses: Create Files/ Write data; Create folders / append data; Delete subfolders and files; delete

This should give you what you need. Though its been a while so you going to have dig up the EventID corresponding to the create/append/delte of a file. Think it might be 560, 4616. Also you may need to turn on Audit object access through Local Group Policy.

Additional info:

Hope this helps or gets you started. If you have additional question I'll try to help.

Reply
Solved! Jump to solution

ftk
Motivator
‎07-24-2013 08:45 AM

That's a great idea. Not sure why I didn't think of that since we are using the SACLs for FIM already...thanks!

0 Karma
Reply
Solved! Jump to solution

ftk
Motivator
‎07-23-2013 11:14 AM

The files never grow. They are being used as a simple flag by the vendor, i.e. ABCD.zip will receive ABCD.done at 0 kb length to flag the file as processed.

0 Karma
Reply
Solved! Jump to solution

gregbujak
Path Finder
‎07-23-2013 11:09 AM

Do these files grow? Do you need to know that they stayed empty and you want to know when they start growing? Or is it a simple flag that indicates something happened?

0 Karma
Reply
Solved! Jump to solution

ftk
Motivator
‎07-23-2013 10:48 AM

OS is Windows 2008.

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎04-16-2013 08:54 AM

This will vary depending on OS. Which OS are you trying to do this for?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...