Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

filesystem change monitor on windows LightWeight Forwarder

steveirogers
Communicator
‎07-25-2012 11:24 AM

Installation: Universal Forwarder 4.3.2
I am trying to use the FileSystem monitor to monitor the files in inputs.conf.
I added this stanza to the "inputs.conf" file and restarted the Forwarder. 

[fschange://E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

I then made several configuration changes to "inputs.conf" (and restarted the Forwarder) but I do not see any events n the "_audit" index. Where am I going wrong? Thanks

0 Karma
Reply

steveirogers
Communicator
‎07-26-2012 01:32 PM 
No success as yet.  I modified the fsmonitor stanza on the Forwarder as follows:
[fschange:E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

I have made changes to the "inputs.conf" file in that location, restarted the Splunk service, but no events are showing in "index=_audit" for this this or in any other index for that matter.
I went ahead and upgraded the Windows Forwarder to version 4.3.3 and the Indexer is also at 4.3.3 to see if that would change anything, but it did not. Thanks for your help. At this time I will probably submit this to Splunk support.

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎07-25-2012 12:53 PM

I think you just need to take out the first two slashes. It is different than the monitor stanza.

[fschange:E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorchangestoyourfilesystem

Also if this is running from a forwarder is when you set the index = _audit, otherwise if it is local you don't have to do that.

To forward file system change monitor events from a universal forwarder, you must set signedaudit = false and index=_audit:

[fschange:<directory or file to monitor>]
signedaudit = false
index=_audit

With this workaround, file system change monitor events are indexed in the _audit index with sourcetype set to fs_notification and source set to fschangemonitor, instead of the default value of audittrail for both sourcetype and source .
Reply

steveirogers
Communicator
‎07-25-2012 03:02 PM

Thank you dmaislin_splunk. I will try that and see if it works.

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...