Getting Data In

Windows Directory Monitoring: How to get file monitoring activity returned to my splunk server?

rsbst19
Engager

Hi all, 

Splunk newbie with what I hope is a simple question...
I have a UF installed on my windows file server, and it is set to monitor a directory--see below


[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
monit
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

[monitor://D:\documents\Confidential]
disabled = false

 The intent is for it to report access/modifications/deletions to files in that directory, but I am not getting any file monitoring activity returned to my splunk server when I perform a simple query for the windows host.  I do get all the system and security events, though.

Any ideas on why I'm not getting the file monitoring activity?  Thanks!

Labels (3)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rsbst19,

to monitor file activities, you have to enable this logging on the server (beware because it's really verbose and heavy for the server resources!), then you can monitor it in Splunk using the same wineventlog stanza, you don't need an additional stanza.

For this you need a Windows technician not a Splunker!

The stanza you added is to monitor the contents of log files of this folder, not activities on files!

Ciao.

Giuseppe

 

View solution in original post

rsbst19
Engager

Great.  Thanks for the explanation Giuseppe!  

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rsbst19,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rsbst19,

to monitor file activities, you have to enable this logging on the server (beware because it's really verbose and heavy for the server resources!), then you can monitor it in Splunk using the same wineventlog stanza, you don't need an additional stanza.

For this you need a Windows technician not a Splunker!

The stanza you added is to monitor the contents of log files of this folder, not activities on files!

Ciao.

Giuseppe

 

Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...