Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- some questions about
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I am a beginner in splunk. I started implementing an enterprise splunk. At present from splunk I need monitoring of files, the register and logs, and some perfmon counters. But I met difficulties. I nave:
1) FileSystem monitoring:
[fschange:C:\Windows\System32]
pollPeriod = 3600
index = fschange
filters = ignore_logs
signedaudit = false
hashMaxSize = 104857600
recurse = true
followLinks = false
fullEvent = false
sendEventMaxSize = -1
filesPerDelay = 100
delayInMills = 1000
But when I create the directory (file), or I delete, splunk doesn't report to me about it.
2) Monitoring free space
[perfmon://LocalPhysicalDisk]
interval = 300
object = PhysicalDisk
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
index = perfmon
It at all doesn't work.
3) Monitoring windows registry
[WinRegMon://RegistryMonitor]
baseline = 0
disabled = 0
hive = \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\?.*
proc = C:\\.*
index = winreg
type = rename|set|delete|create
It at all doesn't work.
Can you help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
On first look perfmon object is wrong. Physical Disk doesn't have those counters, Logical disk has.
[perfmon://LocalPhysicalDisk]
interval = 300
object = LogicalDisk
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
index = perfmon
Regmon you have provided path in "proc" rather than the process name.
Use Monitor instead of fschange which is depreciated. But you need to put more logic to find out the file creation and deletion.
More details you can refer this:
http://docs.splunk.com/Documentation/Splunk/6.0.2/admin/inputsconf
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
On first look perfmon object is wrong. Physical Disk doesn't have those counters, Logical disk has.
[perfmon://LocalPhysicalDisk]
interval = 300
object = LogicalDisk
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
index = perfmon
Regmon you have provided path in "proc" rather than the process name.
Use Monitor instead of fschange which is depreciated. But you need to put more logic to find out the file creation and deletion.
More details you can refer this:
http://docs.splunk.com/Documentation/Splunk/6.0.2/admin/inputsconf
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, at last I made the register monitoring. It is necessary to set up monitoring of file system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, the first issue is resolved. I read input.conf, but didn't find specific examples about registry and monitoring of file system with a hash with monitor
Fun with Regular Expression - multiples of nine
[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...
What’s New & Next in Splunk SOAR
