I've configured the agent on my machine to monitor file changes for a specific folder and validated that Splunk's OSSEC Reporting and Management app is seeing my agent, and my workstation shows up regular entries. It also noticed my changes in the config file, so I'm fairly certain the agent is reporting some things.
When I created, modified and deleted a file inside the newly monitored folder, there are no entries in Splunk for this. Am I missing something simple?
Have tried both of the entries below in the config, yet no love from Splunk
<directories check_all="yes" realtime="yes">O:\10GBTest</directories>
<directories report_changes="yes" realtime="yes">O:\10GBTest</directories>
... View more