Hey guys,
I've looked everywhere and as far as I could tell none of the other answers helped my problem. As you can guess I'm relatively new so go easy on me 😜
I've managed to get fschange to work with $splunkhome/etc (who hasn't right?) but when I change the directory to /home/administrator/Documents it doesn't work. I wanted to do this as a test to see if I could get fschange to work before sticking it to do the real work with actual files.
My problem is i've tried everything I know (which isn't much) I've even done a search
index=_internal source="splunkd.log3 /documents
to see if it there were any reported problems in the logs ... nothing
here is my code, I know it's probable obvious where I went wrong, but I would really appreciate any help yuo could give me, thanks
[default]
host = ubuntu-splunk
[fschange:/home/administrator/Documents]
index = _audit
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000
in the inputs.conf in /etc/system/local
I've solved it, I think I had conflicts so I changed inputs.conf completely.
[default]
host = ubuntu-splunk
[fschange:/home/administrator/Documents/]
index = main
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true
and now I find my changes/adds/deletes when I search
index=main sourceype="fs_notification"
I've solved it, I think I had conflicts so I changed inputs.conf completely.
[default]
host = ubuntu-splunk
[fschange:/home/administrator/Documents/]
index = main
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true
and now I find my changes/adds/deletes when I search
index=main sourceype="fs_notification"
then I come back with my initial comment; does the user running splunkd have permission to read in /home/administrator/Documents ?
thanks for that, yeah it is basically like that except that instead of blanks on the return lines, i added #
In your inputs.conf you specify that the fschange events should be written to the index _audit
, but in your search you're looking in the index _internal
...
Excellent that you solved it 🙂
hey, sorry I didn't see your reply, I've solved it, either my config was right and I was looking in the wrong place or I got the wrong config, but the one I wrote in the answer I gave works just fine. Thanks for your help though.
Well as far as I can tell the config you pasted looks OK. I could try with your exact settings later on and see what the results are.
Hey, I tested the setup after making Splunk user have admin privileges and restarted, ran again and nothing. I still can't find any errors in the log, and I still can't find the input when I add, change or delete a file / folder in the /Documents section
the search brings back some http requests and the old errors I made before changing the syntax to how you see it now. As for the user, it was a normal user which i've now changed to admin, I will be starting a conference in a minute so I will test it tomorrow and get back to you, thanks for the help though
Ah, sorry, I misread - I thought you were looking for the actual events in _internal
. Does a search for index=_internal fschange
show anything interesting?
Also does the user Splunk is running as have read access to the directory you're wanting to run fschange
on?
I thought that's what you type to get infor on the splunkd logs, when I change to _audit, I get no results, where as when I keep _internal, I get the errors I had with my previous syntax show up, but it doesn't show any errors since the ones I fixed, but still, no results
I fixed your formatting a bit - is this how your config files look like?