Getting Data In

fschange won't work

Path Finder

Hey guys,

I've looked everywhere and as far as I could tell none of the other answers helped my problem. As you can guess I'm relatively new so go easy on me 😜

I've managed to get fschange to work with $splunkhome/etc (who hasn't right?) but when I change the directory to /home/administrator/Documents it doesn't work. I wanted to do this as a test to see if I could get fschange to work before sticking it to do the real work with actual files.

My problem is i've tried everything I know (which isn't much) I've even done a search

index=_internal source="splunkd.log3 /documents

to see if it there were any reported problems in the logs ... nothing

here is my code, I know it's probable obvious where I went wrong, but I would really appreciate any help yuo could give me, thanks

[default]
host = ubuntu-splunk

[fschange:/home/administrator/Documents]
index = _audit
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000

in the inputs.conf in /etc/system/local

Tags (1)
0 Karma
1 Solution

Path Finder

I've solved it, I think I had conflicts so I changed inputs.conf completely.

[default]
host = ubuntu-splunk
[fschange:/home/administrator/Documents/]
index = main
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

and now I find my changes/adds/deletes when I search

index=main sourceype="fs_notification"

View solution in original post

Path Finder

I've solved it, I think I had conflicts so I changed inputs.conf completely.

[default]
host = ubuntu-splunk
[fschange:/home/administrator/Documents/]
index = main
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

and now I find my changes/adds/deletes when I search

index=main sourceype="fs_notification"

View solution in original post

SplunkTrust
SplunkTrust

then I come back with my initial comment; does the user running splunkd have permission to read in /home/administrator/Documents ?

0 Karma

Path Finder

thanks for that, yeah it is basically like that except that instead of blanks on the return lines, i added #

0 Karma

Legend

In your inputs.conf you specify that the fschange events should be written to the index _audit, but in your search you're looking in the index _internal...

Legend

Excellent that you solved it 🙂

0 Karma

Path Finder

hey, sorry I didn't see your reply, I've solved it, either my config was right and I was looking in the wrong place or I got the wrong config, but the one I wrote in the answer I gave works just fine. Thanks for your help though.

0 Karma

Legend

Well as far as I can tell the config you pasted looks OK. I could try with your exact settings later on and see what the results are.

0 Karma

Path Finder

Hey, I tested the setup after making Splunk user have admin privileges and restarted, ran again and nothing. I still can't find any errors in the log, and I still can't find the input when I add, change or delete a file / folder in the /Documents section

0 Karma

Path Finder

the search brings back some http requests and the old errors I made before changing the syntax to how you see it now. As for the user, it was a normal user which i've now changed to admin, I will be starting a conference in a minute so I will test it tomorrow and get back to you, thanks for the help though

0 Karma

Legend

Ah, sorry, I misread - I thought you were looking for the actual events in _internal. Does a search for index=_internal fschange show anything interesting?

Also does the user Splunk is running as have read access to the directory you're wanting to run fschange on?

Path Finder

I thought that's what you type to get infor on the splunkd logs, when I change to _audit, I get no results, where as when I keep _internal, I get the errors I had with my previous syntax show up, but it doesn't show any errors since the ones I fixed, but still, no results

0 Karma

Legend

I fixed your formatting a bit - is this how your config files look like?

0 Karma