Getting Data In

filesystem change monitor on windows LightWeight Forwarder

steveirogers
Communicator

Installation: Universal Forwarder 4.3.2
I am trying to use the FileSystem monitor to monitor the files in inputs.conf.
I added this stanza to the "inputs.conf" file and restarted the Forwarder.

[fschange://E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true 

I then made several configuration changes to "inputs.conf" (and restarted the Forwarder) but I do not see any events n the "_audit" index. Where am I going wrong? Thanks

0 Karma

steveirogers
Communicator
No success as yet.  I modified the fsmonitor stanza on the Forwarder as follows:
[fschange:E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

I have made changes to the "inputs.conf" file in that location, restarted the Splunk service, but no events are showing in "index=_audit" for this this or in any other index for that matter.
I went ahead and upgraded the Windows Forwarder to version 4.3.3 and the Indexer is also at 4.3.3 to see if that would change anything, but it did not. Thanks for your help. At this time I will probably submit this to Splunk support.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

I think you just need to take out the first two slashes. It is different than the monitor stanza.

[fschange:E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorchangestoyourfilesystem

Also if this is running from a forwarder is when you set the index = _audit, otherwise if it is local you don't have to do that.

To forward file system change monitor events from a universal forwarder, you must set signedaudit = false and index=_audit:

[fschange:<directory or file to monitor>]
signedaudit = false
index=_audit

With this workaround, file system change monitor events are indexed in the _audit index with sourcetype set to fs_notification and source set to fschangemonitor, instead of the default value of audittrail for both sourcetype and source .

steveirogers
Communicator

Thank you dmaislin_splunk. I will try that and see if it works.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...