Looking for the best way to implement the following use case:
Windows auditing is set up on a file share, so the addition of a file or an update to an existing file will create a Windows event 4663 with Accesses set to WriteData.
When splunk detects such an event, I want to calculate the hash of the file and add it to the event log so that it will be accessible via splunk searching. Alternatively, a new event could be created, as long as it has the timestamp, file path and name, and the hash value.
We have a simple splunk setup with a single splunk server and currently only universal forwarders. The file share is accessible from the splunk server, so the file hash could be calculated on the splunk server, itself. Alternatively, the hash could be calculated on the server with the file share, if that is easier.
I can't have a long time between the file addition/update and the calculation of the hash...less than a minute ideally.
... View more