Getting Data In

Using fschange to monitor Windows filesystem

SplunkTrust
SplunkTrust

I'm trying to set up fschange to monitor a folder on one of our servers (running Splunk v4.1.2) using the following stanza (in inputs.conf on host xyz):

[fschange:E:\testfschange\]
index=mysamples
pollPeriod=60
followLinks=true
fullEvent=true
delayInMills=1000
host=abc.int.hlc.com

I restarted Splunk after this change then created a new document and stored it in this folder. I've also made a change to a document in the folder. I'm monitoring Splunk to see if this shows up but nothing is getting set to Splunk. Part of me wonders if I have to actually have this set up in the inputs.conf file on the host where the folder I want to monitor resides. If this is the case how have people handled deployment apps? Do you just create a separate stanza for each host/folder in serverclas.conf and then inputs.conf?

What are the requirements to get fschange to work? Do I also have to have Windows auditing enabled? If so this would seem like overkill since events are getting set to the security log when you enable Windows file auditing.

Thanks.

Tags (1)
2 Solutions

Path Finder

A few things:

  1. inputs.conf is on the server where Splunk is installed. That's where you should add stanza.
  2. I don't see such parameter as "host=" for fschange. Please, go through the following article about fschange (http://www.splunk.com/base/Documentation/4.0.9/Admin/Monitorchangestoyourfilesystem). If you want to monitor files or folder on the remote server, you probably wanna use a network path. Something like

    [fschange:\\abc.int.hlc.com\e$\testfschange]

  3. Was mysamples index created for this particular monitoring task or there are already events in there? You may wanna try any index with existing events first to make sure it's not an index file issue.

  4. If you are going to monitor files through the network, make sure Splunk services are running under the accounts that have appropriate permissions (http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindows#Choosing_the_user_Splunk_should_run_as).

View solution in original post

0 Karma

Motivator

Are you by any chance adding the fschange monitor on a forwarder? If so, this is broken (unless you want to pipe it into the _audit index, which may or may not be enough for you). Was in 4.1.2 and is in 4.1.3.

http://www.splunk.com/base/Documentation/4.1.2/ReleaseNotes/Knownissues

Support has been unable to provide me with an ETA for the fix.

As a workaround I use a regular monitor stanza combined with a custom sourcetype to index full files of interest. You can still run diffs and whatnot on the files that way. And since you're on windows you can enable object level auditing via group or local policy and log what user made the change for accounting purposes.

I use the following monitor to index changes to my splunk configs for example (inputs.conf):

[monitor://C:\Program Files\Splunk\etc\...\*.conf]
followTail = False
sourcetype = splunk_config
index = my_custom_index
disabled = false

and define the splunk_config sourcetype in props.conf as such:

[splunk_config]
BREAK_ONLY_BEFORE=goblygook
MAX_EVENTS=200000
DATETIME_CONFIG = NONE
CHECK_METHOD = modtime
pulldown_type = true
LEARN_MODEL = false

this combination will index all files under splunk\etc ending in .conf. The BREAK_ONLY_BEFORE=gooblybook basically tells splunk not to break the event (in this case the conf file) until it encounters "gooblygook" which shouldn't be in any of your files.

It would be better to use fschange but until it is fixed on forwarders this workaround should do.

View solution in original post

Motivator

Are you by any chance adding the fschange monitor on a forwarder? If so, this is broken (unless you want to pipe it into the _audit index, which may or may not be enough for you). Was in 4.1.2 and is in 4.1.3.

http://www.splunk.com/base/Documentation/4.1.2/ReleaseNotes/Knownissues

Support has been unable to provide me with an ETA for the fix.

As a workaround I use a regular monitor stanza combined with a custom sourcetype to index full files of interest. You can still run diffs and whatnot on the files that way. And since you're on windows you can enable object level auditing via group or local policy and log what user made the change for accounting purposes.

I use the following monitor to index changes to my splunk configs for example (inputs.conf):

[monitor://C:\Program Files\Splunk\etc\...\*.conf]
followTail = False
sourcetype = splunk_config
index = my_custom_index
disabled = false

and define the splunk_config sourcetype in props.conf as such:

[splunk_config]
BREAK_ONLY_BEFORE=goblygook
MAX_EVENTS=200000
DATETIME_CONFIG = NONE
CHECK_METHOD = modtime
pulldown_type = true
LEARN_MODEL = false

this combination will index all files under splunk\etc ending in .conf. The BREAK_ONLY_BEFORE=gooblybook basically tells splunk not to break the event (in this case the conf file) until it encounters "gooblygook" which shouldn't be in any of your files.

It would be better to use fschange but until it is fixed on forwarders this workaround should do.

View solution in original post

Path Finder

A few things:

  1. inputs.conf is on the server where Splunk is installed. That's where you should add stanza.
  2. I don't see such parameter as "host=" for fschange. Please, go through the following article about fschange (http://www.splunk.com/base/Documentation/4.0.9/Admin/Monitorchangestoyourfilesystem). If you want to monitor files or folder on the remote server, you probably wanna use a network path. Something like

    [fschange:\\abc.int.hlc.com\e$\testfschange]

  3. Was mysamples index created for this particular monitoring task or there are already events in there? You may wanna try any index with existing events first to make sure it's not an index file issue.

  4. If you are going to monitor files through the network, make sure Splunk services are running under the accounts that have appropriate permissions (http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindows#Choosing_the_user_Splunk_should_run_as).

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

moving my config to the inputs.conf file on my server where Splunk is installed and changing the path worked.

Couple of questions:

  1. What does it mean when "too_small" is appended to the sourcetype when you add text to a file?
  2. Is there any way to see what user made the change?

Thanks.

0 Karma