Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

can splunk monitor fschange

nagarjuna280
Communicator
‎12-02-2018 11:01 PM

I want to know the user details, what changes happened, when, if someone makes changes to config files. is that possible?
I tried something below, I got events as

6/14/10 9:20:52.000 AM Mon Jun 14 09:20:52 2010 action=add, path="C:\TEMP\configs.txt", isdir=0, size=388, gid=-1, uid=-1, modtime="Mon Jun 14 09:17:56 2010", mode="rwxrwxrwx", hash=

[monitor://\192.168.1.12\Siteroot\Web.config]
disabled = false
index = _audit
sourcetype =dfgd
pollPeriod = 60

and when I tried to set up this config in Splunk forwarder, I didn't get any results.

Tags (2)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-03-2018 01:02 AM

from inputs.conf documentation -
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Inputsconf

[fschange:D:\Siteroot\web.config\]
fullEvent=true
pollPeriod=60
recurse=true
sendEventMaxSize=100000
index=main
sourcetype =dfgd

i think instead of monitor you should use fschange
and for index, we should not use _audit
(maybe -index=mainORsomething)

EDIT - thanks @harsmarvania57
Please keep in mind that this feature is deprecated and will be removed in future version of Splunk. Please see documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Monitorchangestoyourfilesystem

 This feature has been deprecated as of Splunk Enterprise version 5.0. This means that although it continues to function in version 6.x of Splunk software, it might be removed in a future version. As an alternative, you can:

     Learn how to monitor file system changes on Windows systems.
     Use the auditd daemon on *nix systems and monitor output from the daemon.

 For a list of all deprecated features, see the topic Deprecated features in the Release Notes.
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

harsmarvania57
Ultra Champion
‎12-03-2018 01:41 AM

Please keep in mind that this feature is deprecated and will be removed in future version of Splunk. Please see documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Monitorchangestoyourfilesystem 

This feature has been deprecated as of Splunk Enterprise version 5.0. This means that although it continues to function in version 6.x of Splunk software, it might be removed in a future version. As an alternative, you can:

    Learn how to monitor file system changes on Windows systems.
    Use the auditd daemon on *nix systems and monitor output from the daemon.

For a list of all deprecated features, see the topic Deprecated features in the Release Notes.
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top