- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitoring changes to configuration files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to monitor changes to configuration files.
Followed this article: http://www.splunk.com/base/Documentation/4.0.9/Admin/Monitorchangestoyourfilesystem
Created Data Input in Splunk Manager. Here is the inputs.conf (added pollPeriod manually):
[monitor://\192.168.1.12\Siteroot\Web.config]
disabled = false
host = SIT-APP-shared
host_regex =
host_segment =
index = main
sourcetype =
pollPeriod = 60
Restarted splunk after changes, share has full permissions for everyone.
Then I change web.config file. Do search in Splunk - nothing.
Does the configuration look right? How do I debug it to see if it's connecting to the share, how often, error messages etc.?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, the reason it was not working is that Splunk services were running under Local System account.
Here are the articles I used to fix it:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, the reason it was not working is that Splunk services were running under Local System account.
Here are the articles I used to fix it:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears that it's working for local files - [fschange:C:\TEMP\test.txt], but not for network - [fschange:\10.255.1.20\Siteroot\Web.config]
So, I guess the question is how to monitor files on other machines in the network.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you want to do is fschange (filesystem change) monitoring which is different from monitoring. If you modify you configuration to look like that in the example on the page you linked to, it should work:
[fschange:/var/apache]
index = sample
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you are right. It looks like I shouldn't rely that much on GUI.
So, I've changed the config (see below). Now I don't see this record in Splunk Manager under Data Inputs anymore. Also, when I make changes to the file I'm still not able to find any records when doing search.
[fschange:\10.255.1.20\Siteroot\Web.config]
index = main
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000
pollPeriod = 60
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
