Re: fschange deprecated; what options are availabl...

joonradley · ‎11-29-2012

The 5.0 release documentation states that fschange is deprecated.

We use this extensively for configuration change detection. Does anyone know of how to get the same functionality as fschange on Linux and Windows?

Thx

joonradley · ‎11-29-2012

Any product will do at the moment.

kristian_kolb · ‎11-29-2012

For Linux, I'd guess that the auditd would be able to solve most things. Configuring it to be less noisy is probably an exercise.

For Windows, I'd guess that you have to enable auditing on "object access", and set ACL's on the objects (files/directories) you wish to monitor. Exactly how to do this is a bit beyond my experience.

miteshvohra · ‎04-11-2013

TripWire does a good job of monitoring changes. Unsure if there is a ready made app for it.

My two cents.

joonradley · ‎11-30-2012

Unfortunately I also need to track the changed contents as well.

kristian_kolb · ‎11-29-2012

Not too sure about that - or rather, I'm quite certain you can't. But what you will get is WHO made the change.

joonradley · ‎11-29-2012

Can you pull in the entire configuration file with these methods?

Ayn · ‎11-29-2012

Do you mean using Splunk exclusively, or do you want to know about other products that could solve this for you?

fschange deprecated; what options are available

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)