fsmonitor question

diegosainz · ‎04-22-2013

Is it possible for a file monitored with fsmonitor to send an alert on any difference of the file? or would monitoring the file be able to provide that visibility.

rnolette · ‎04-22-2013

if fsmonitor has a log file that generates events on file status changes then you can write a custom file monitor that will send the events to the splunk server. You then can create a realtime query Alert that will email you every time this event is triggered. I did this for checking when someone changes something on one of my servers that has a custom application on it.

diegosainz · ‎04-23-2013

Thank you. I will do that.

rnolette · ‎04-22-2013

oh. well you didn't say that. Does the file monitor not read in the file when it alerts you? I dont think you can do diff change monitoring from splunk. youd need a diff application to push the new copy to and the old copy then have splunk alert on what the diff application said changed. That would tell you but is a bunch of work. If the device is a network appliance, just use puppet or Cacti.

diegosainz · ‎04-22-2013

We have done that, we would like to know what has changed in the file.

fsmonitor question

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

fsmonitor question

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2