I'm trying to get the universal forwarder to monitor a particular executable. It would have been nice to do a hash compare but after all this time invested trying to get this to work, I'll settle for any monitoring and subsequent forwarding of the particular file.
The results should be forwarding to a splunk server.
Here is my inputs.conf:
[fschange://C:\myapp\myapp.exe]
pollPeriod = 60
signedaudit=false
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
The log shows the following entry:
11-14-2012 04:32:36.997 -0500 INFO PipelineComponent - Pipeline fschangemanager enabled
11-14-2012 04:32:36.997 -0500 INFO loader - Instantiated plugin: fschangemanagerprocessor
11-14-2012 04:32:36.997 -0500 WARN FSChangeMonitor - Monitoring file or directory that doesn't exist at startup time - //C:\myapp\myapp.exe
The file definitely exists and it is in the path.
does anyone have any idea where I could be going wrong?
just to add, the one single event it forwarded reads as follows:
Wed Nov 14 07:21:07 2012 action=add, path="\myapp\myapp.exe", isdir=0, size=1899520, gid=-1, uid=-1, modtime="Tue Oct 30 12:18:02 2012", mode="rwxrwxrwx", hash=
actually it looks like I got one single entry forwarded, and then nothing else after hours.
I do see:
11-14-2012 07:25:29.893 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:29.893 -0500 INFO PipelineComponent - Pipeline fschangemanager enabled
11-14-2012 07:25:29.893 -0500 INFO loader - Instantiated plugin: fschangemanagerprocessor
11-14-2012 07:25:30.127 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:30.127 -0500 INFO PipelineComponent - Pipeline archivePipe enabled
11-14-2012 07:25:30.127 -0500 INFO loader - Instantiated plugin: archiveprocessor
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:30.205 -0500 INFO PipelineComponent - Pipeline wineventlog enabled
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: wineventloginputprocessor
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
But no further mention of my file or my path.
Here is the current inputs.conf
[fschange C:\myapp\myapp.exe]
pollPeriod = 60
signedaudit=false
hashMaxSize=65535
fullEvent=true
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
Did you change the file?
Thanks for the response.
I thought of removing the // previously only then it had appeared not to work at all and there were no log entries. I uninstalled, reinstalled the forwarder deleting the old paths and files; reconfigured and now it does in fact appear to work (sans the //)
Thanks so much!!
There is no // in the fschange spec:
[fschange:C:\myappmyapp.exe]
will probably work better. Good thinking on checking the log (and including it in your question). Few people do that, it seems.