Solved: Why are we getting "error getting attributes of pa...

antonyhan · ‎07-06-2015

In one set of our Splunkforwarders, we keep getting the following error msg:

FilesystemChangeWatcher - error getting attributes of path "C:\pagefile.sys": The process cannot access the file because it is being used by another process.

It only happens to this set of servers and every one of them.

What could be the possible reason for it?

thanks.

antonyhan · ‎08-06-2015

Just to post the answer from the support:

when we define input stanza using wildcard like [monitor://C:\Program Files*....] in this case splunk will traverse one level up and start monitoring from c:\ and hit the error you are seeing.
So in you case simple solution will be to change the "monitor://C:\Program Files*" to either

[monitor://C:\Program Files....

or

[monitor://C:\Program Files (x86)....

View solution in original post

Chris_Garrett · ‎05-10-2017

I just resolved this issue myself

TLDR: Any directories you're reading from, you must have read access to, and must have the execute bit set.

I highly recommend keeping selinux doing its job and executing the following for your hosts:

sudo setfacl -R -m u:splunk:rX /path/to/logs
The -R switch will apply permissions recursively
The -m is to modify the existing ACL
The u:splunk specifies the splunk user
The rX grants read access to everything, and sets the execute bit only on files with an existing execute bit flipped.

Cheers

vqd361 · ‎02-05-2019

The poster's question is clearly asking about Windows. The Linux commands you've posted in your answer are not relevant to the question.

crash1011 · ‎09-17-2015

In case you get trapped with a file not being monitored even if (1) all permissions seem correct, (2) your deployment script is set to Enable App, Restart Splunkd and (3) You see these errors
09-18-2015 12:28:47.311 +1000 WARN FilesystemChangeWatcher - error getting attributes of path "/software/app/oracle/admin/webhost1/diagnostics/logs/OHS/ohs1/access_log": Permission denied
Then I found this actually did work:
- Log on to the forwarder and check that your app with the file monitoring stanza has been deployed all OK
- Do a splunk list monitor (if you’ve got the same problem it won’t be listed)
- Restart of splunk e.g. /opt/splunkforwarder/bin/splunk restart
- Do another splunk list monitor to see if it has worked

Unfortunately in this exercise I didn’t do a ps | grep splunk on the remote host to check if the splunkforwarder process had been restarted by the utility server’s splunk reload deploy-server

antonyhan · ‎08-06-2015

Just to post the answer from the support:

when we define input stanza using wildcard like [monitor://C:\Program Files*....] in this case splunk will traverse one level up and start monitoring from c:\ and hit the error you are seeing.
So in you case simple solution will be to change the "monitor://C:\Program Files*" to either

[monitor://C:\Program Files....

or

[monitor://C:\Program Files (x86)....

richgalloway · ‎07-06-2015

It would seem you have configured the forwarder to monitor that file (or its parent directory) for changes. Monitoring (and indexing) the Windows swap file doesn't make sense. You should change the inputs.conf file for the forwarders in question.

---
If this reply helps you, Karma would be appreciated.

antonyhan · ‎07-06-2015

I did a "splunk list monitor" but pagefile.sys is not in the list.
We use deployment server to push forwarder settings and I double checked that file or its parentdirectory(c:) is not in our inputs.conf.

Why are we getting "error getting attributes of path "C:\pagefile.sys":..." on one set of Splunk forwarders?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?