Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About plastiiq
plastiiq
Explorer
Member since:
01-30-2012
06-05-2020
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 01-30-2012 |
Activity Feed
- Got Karma for Re: fschange not indicate a folder for the local machine. 06-05-2020 12:46 AM
- Posted newb help creating an alert on Splunk Search. 11-21-2012 12:40 PM
- Tagged newb help creating an alert on Splunk Search. 11-21-2012 12:40 PM
- Tagged newb help creating an alert on Splunk Search. 11-21-2012 12:40 PM
- Posted Re: fschange not indicate a folder for the local machine on Getting Data In. 11-15-2012 07:35 AM
- Posted Re: issues with universal forwarder and file monitoring on Getting Data In. 11-14-2012 12:53 PM
- Posted Re: issues with universal forwarder and file monitoring on Getting Data In. 11-14-2012 12:49 PM
- Posted Re: issues with universal forwarder and file monitoring on Getting Data In. 11-14-2012 10:33 AM
- Posted issues with universal forwarder and file monitoring on Getting Data In. 11-14-2012 08:41 AM
- Tagged issues with universal forwarder and file monitoring on Getting Data In. 11-14-2012 08:41 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
11-21-2012
12:40 PM
Hi there,
i'm somewhat new to splunk and hoping some of the more seasoned veterans can assist me.
I have a process hashing a file and writing some output to a log.
the entries look like this:
Wed 11/21/201215:17:54.38 //// File Checksum Integrity Verifier version 2.05.//31127455faac11149dfdabc2261cdb7a c:\integrity\integrityservicex.exe
host=WIN-IK3D6F4B55R Options| sourcetype=integrity-too_small Options|
source=C:\Program Files\SplunkUniversalForwarder\integrity.txt Options
it is being indexed and is searchable properly.
what I wanted to to was create an alert for when the hash entry changes, in this case the hash is :31127455faac11149dfdabc2261cdb7a
so I would always expect the valid entry to exist in the file, what I want to do is detect an invalid entry (the hash has changed) and alert based on that.
Could anyone offer a few hints to get me started?
... View more
11-15-2012
07:35 AM
1 Karma
change [fschange://C:testing] to [fschange:C:\testing]
... View more
11-14-2012
12:53 PM
just to add, the one single event it forwarded reads as follows:
Wed Nov 14 07:21:07 2012 action=add, path="\myapp\myapp.exe", isdir=0, size=1899520, gid=-1, uid=-1, modtime="Tue Oct 30 12:18:02 2012", mode="rwxrwxrwx", hash=
... View more
11-14-2012
12:49 PM
actually it looks like I got one single entry forwarded, and then nothing else after hours.
I do see:
11-14-2012 07:25:29.893 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:29.893 -0500 INFO PipelineComponent - Pipeline fschangemanager enabled
11-14-2012 07:25:29.893 -0500 INFO loader - Instantiated plugin: fschangemanagerprocessor
11-14-2012 07:25:30.127 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:30.127 -0500 INFO PipelineComponent - Pipeline archivePipe enabled
11-14-2012 07:25:30.127 -0500 INFO loader - Instantiated plugin: archiveprocessor
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:30.205 -0500 INFO PipelineComponent - Pipeline wineventlog enabled
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: wineventloginputprocessor
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
But no further mention of my file or my path.
Here is the current inputs.conf
[fschange C:\myapp\myapp.exe]
pollPeriod = 60
signedaudit=false
hashMaxSize=65535
fullEvent=true
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
... View more
11-14-2012
10:33 AM
Thanks for the response.
I thought of removing the // previously only then it had appeared not to work at all and there were no log entries. I uninstalled, reinstalled the forwarder deleting the old paths and files; reconfigured and now it does in fact appear to work (sans the //)
Thanks so much!!
... View more
11-14-2012
08:41 AM
I'm trying to get the universal forwarder to monitor a particular executable. It would have been nice to do a hash compare but after all this time invested trying to get this to work, I'll settle for any monitoring and subsequent forwarding of the particular file.
The results should be forwarding to a splunk server.
Here is my inputs.conf:
[fschange://C:\myapp\myapp.exe]
pollPeriod = 60
signedaudit=false
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
The log shows the following entry:
11-14-2012 04:32:36.997 -0500 INFO PipelineComponent - Pipeline fschangemanager enabled
11-14-2012 04:32:36.997 -0500 INFO loader - Instantiated plugin: fschangemanagerprocessor
11-14-2012 04:32:36.997 -0500 WARN FSChangeMonitor - Monitoring file or directory that doesn't exist at startup time - //C:\myapp\myapp.exe
The file definitely exists and it is in the path.
does anyone have any idea where I could be going wrong?
... View more
- Tags:
- universal-forwarder
