Getting Data In

Why does fullEvent=true not working in my fschange config in inputs.conf?

kalianov
Path Finder

I need to monitor file changes and I want to know which changes were made.

inputs.conf

[fschange:///etc/passwd]
 disabled = 0
 fullEvent = true
 sendEventMaxSize = -1
 pollPeriod = 10
 hashMaxSize = -1
 index=unixsrv
 sourcetype=linux_configfile

I can't see the difference between results if I used inputs.conf with stanza fullEvent=true and without it.

Result is always the same:

Tue Feb 23 14:45:14 2016 
action=update, 
path="///etc/passwd",
isdir=0, 
size=1771, 
gid=0, uid=0, 
modtime="Tue Feb 23 14:45:11 2016", 
mode="rw-r--r--", 
hash=, 
chgs="modtime "

I would like to have the full passwd file.
I thought the "fullEvent" parameter was just for that, but it looks like it isn't.

What am I doing wrong?
Thanks

0 Karma
1 Solution

woodcock
Esteemed Legend
0 Karma

woodcock
Esteemed Legend
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...