Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

filesystem change monitor on windows LightWeight Forwarder

steveirogers
Communicator
‎07-25-2012 11:24 AM

Installation: Universal Forwarder 4.3.2
I am trying to use the FileSystem monitor to monitor the files in inputs.conf.
I added this stanza to the "inputs.conf" file and restarted the Forwarder. 

[fschange://E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

I then made several configuration changes to "inputs.conf" (and restarted the Forwarder) but I do not see any events n the "_audit" index. Where am I going wrong? Thanks

0 Karma
Reply

steveirogers
Communicator
‎07-26-2012 01:32 PM 
No success as yet.  I modified the fsmonitor stanza on the Forwarder as follows:
[fschange:E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

I have made changes to the "inputs.conf" file in that location, restarted the Splunk service, but no events are showing in "index=_audit" for this this or in any other index for that matter.
I went ahead and upgraded the Windows Forwarder to version 4.3.3 and the Indexer is also at 4.3.3 to see if that would change anything, but it did not. Thanks for your help. At this time I will probably submit this to Splunk support.

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎07-25-2012 12:53 PM

I think you just need to take out the first two slashes. It is different than the monitor stanza.

[fschange:E:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local]
signedaudit = false
index=_audit
fullEvent = true

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitorchangestoyourfilesystem

Also if this is running from a forwarder is when you set the index = _audit, otherwise if it is local you don't have to do that.

To forward file system change monitor events from a universal forwarder, you must set signedaudit = false and index=_audit:

[fschange:<directory or file to monitor>]
signedaudit = false
index=_audit

With this workaround, file system change monitor events are indexed in the _audit index with sourcetype set to fs_notification and source set to fschangemonitor, instead of the default value of audittrail for both sourcetype and source .
Reply

steveirogers
Communicator
‎07-25-2012 03:02 PM

Thank you dmaislin_splunk. I will try that and see if it works.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...