I've just configured fschange on a lab test environment with a windows 7 forwarder, a W2k8 server and splunk 4.1.5. This is to duplicate a customer environment. I've set up fschange forwarding, and it's working as well as it can at the moment. It is, however, irritating that sourcetype and index cannot be set. I hope splunk get around to fixing this some time.

What I'm finding is that however I manipulate the file modes in windows, I'm not getting any events from fschange. I am seeing heaps of audit events via the Security Event Log, but the windows file permission mechanism and masking is complex and I'm having trouble sifting out the interesting events in a concise way.

What I need to show is not just that a file changed, but also when the access mode changes. I observe that the "mode" field from fschange only ever shows "rwxrwxrwx". This looks like a rather crude attempt to shoehorn windows file modes into unix-like ones, and it doesn't seem to work properly. Note that if you disable all file access modes but don't actually remove the file, this shows up in fschange as a 'delete' action, which is wrong, but I can see how splunk got there.

Does anyone know a reliable way to show when windows file access modes change, either with fschange or some other way?