Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

filesystem change monitor on windows LightWeight Forwarder

steveirogers
Communicator
‎07-25-2012 11:24 AM

Installation: Universal Forwarder 4.3.2
I am trying to use the FileSystem monitor to monitor the files in inputs.conf.
I added this stanza to the "inputs.conf" file and restarted the Forwarder. 

[fschange://E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

I then made several configuration changes to "inputs.conf" (and restarted the Forwarder) but I do not see any events n the "_audit" index. Where am I going wrong? Thanks

0 Karma
Reply

steveirogers
Communicator
‎07-26-2012 01:32 PM 
No success as yet.  I modified the fsmonitor stanza on the Forwarder as follows:
[fschange:E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

I have made changes to the "inputs.conf" file in that location, restarted the Splunk service, but no events are showing in "index=_audit" for this this or in any other index for that matter.
I went ahead and upgraded the Windows Forwarder to version 4.3.3 and the Indexer is also at 4.3.3 to see if that would change anything, but it did not. Thanks for your help. At this time I will probably submit this to Splunk support.

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎07-25-2012 12:53 PM

I think you just need to take out the first two slashes. It is different than the monitor stanza.

[fschange:E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorchangestoyourfilesystem

Also if this is running from a forwarder is when you set the index = _audit, otherwise if it is local you don't have to do that.

To forward file system change monitor events from a universal forwarder, you must set signedaudit = false and index=_audit:

[fschange:<directory or file to monitor>]
signedaudit = false
index=_audit

With this workaround, file system change monitor events are indexed in the _audit index with sourcetype set to fs_notification and source set to fschangemonitor, instead of the default value of audittrail for both sourcetype and source .
Reply

steveirogers
Communicator
‎07-25-2012 03:02 PM

Thank you dmaislin_splunk. I will try that and see if it works.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...