I have a business need to monitor 0 kb files. I can get this to work using fschange, however with fschange being deprecated in 5.x this is not a viable option. I would prefer using monitor rather than a script, and only want to index new files, with the system time being used as timestamp (DATETIME_CONFIG=CURRENT).
Do these files grow? Do you need to know that they stayed empty and you want to know when they start growing? Or is it a simple flag that indicates something happened?
The files never grow. They are being used as a simple flag by the vendor, i.e. ABCD.zip will receive ABCD.done at 0 kb length to flag the file as processed.
If you don't want to use a script or a modular input then Windows Security Auditing. You will have to monitor the Security Event Logs. The Windows Security Event logs can be really noisy, so you might have to build some transforms to filter data.
This should give you what you need. Though its been a while so you going to have dig up the EventID corresponding to the create/append/delte of a file. Think it might be 560, 4616. Also you may need to turn on Audit object access through Local Group Policy.
Hope this helps or gets you started. If you have additional question I'll try to help.
I have the same situation where we have to monitor files that are 0kb. The forwarder hangs during this time and creates a lag time for any other files to be monitored. This is in a linux base OS. How would you resolve the hang time?