- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- some questions about
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I am a beginner in splunk. I started implementing an enterprise splunk. At present from splunk I need monitoring of files, the register and logs, and some perfmon counters. But I met difficulties. I nave:
1) FileSystem monitoring:
[fschange:C:\Windows\System32]
pollPeriod = 3600
index = fschange
filters = ignore_logs
signedaudit = false
hashMaxSize = 104857600
recurse = true
followLinks = false
fullEvent = false
sendEventMaxSize = -1
filesPerDelay = 100
delayInMills = 1000
But when I create the directory (file), or I delete, splunk doesn't report to me about it.
2) Monitoring free space
[perfmon://LocalPhysicalDisk]
interval = 300
object = PhysicalDisk
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
index = perfmon
It at all doesn't work.
3) Monitoring windows registry
[WinRegMon://RegistryMonitor]
baseline = 0
disabled = 0
hive = \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\?.*
proc = C:\\.*
index = winreg
type = rename|set|delete|create
It at all doesn't work.
Can you help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
On first look perfmon object is wrong. Physical Disk doesn't have those counters, Logical disk has.
[perfmon://LocalPhysicalDisk]
interval = 300
object = LogicalDisk
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
index = perfmon
Regmon you have provided path in "proc" rather than the process name.
Use Monitor instead of fschange which is depreciated. But you need to put more logic to find out the file creation and deletion.
More details you can refer this:
http://docs.splunk.com/Documentation/Splunk/6.0.2/admin/inputsconf
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
On first look perfmon object is wrong. Physical Disk doesn't have those counters, Logical disk has.
[perfmon://LocalPhysicalDisk]
interval = 300
object = LogicalDisk
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
index = perfmon
Regmon you have provided path in "proc" rather than the process name.
Use Monitor instead of fschange which is depreciated. But you need to put more logic to find out the file creation and deletion.
More details you can refer this:
http://docs.splunk.com/Documentation/Splunk/6.0.2/admin/inputsconf
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, at last I made the register monitoring. It is necessary to set up monitoring of file system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, the first issue is resolved. I read input.conf, but didn't find specific examples about registry and monitoring of file system with a hash with monitor
Splunk Platform | Upgrading your Splunk Deployment to Python 3.9
From Product Design to User Insights: Boosting App Developer Identity on Splunkbase
Detect and Resolve Issues in a Kubernetes Environment
