When my company first purchased Splunk 4.x fschange was not deprecated and was one of the reasons that we have Splunk. I know it’s been since 5.x that it has been labeled as deprecated and is still in the latest 6.x release. We find it very useful and meets our basic requirement for change tracking. It is very easy and provides that one place to manage our change tracking needs. With the latest changes to PCI compliance one would think having this remain in core Splunk would be a great selling point for Splunk as it is a strong security tool why take away capability???
Splunk is recommending using the OS native tools to do this. This is not nearly as streamlined as using fschange and adds more work to implement on an enterprise basis (more complex and fragmented across multiple process owners ie: Windows Admins, UNIX Admins, Security and so on..
I have asked my Splunk Sales support team to submit an enhancement request to keep fschange supported and remove it from being deprecated. I think from what I have seen looking thru all of the interest in fschange on “Answers” if everyone that has used it or has a need would also submit an official enhancement request so we can keep fschange supported. Supported being the key word as with any compliance type tool most companies require it to be supported to use it.
Please submit your enhancement requests to help save fschange. If we all do this it would be hard for Splunk to look the other way. I for one would hate to see it go away. What say you?
This might be a good forward looking solution: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
We currently have no plans to remove the file integrity monitoring feature from Splunk without providing a native alternative. Fschange will continue to exist in the Splunk package as a fully supported feature until we have an equivalent. Deprecation simply means we are no longer making feature improvements to fschange specifically. This also means a future file integrity monitoring feature may not use the fschange stanza in inputs.conf but may be delivered through another method.
Thanks,
Splunk Product Management
This is great news. Its good to know that fschange is not going away without some sort of replacement.
Thank you!
Is this still the case? Or is there a replacement (for both *nix and Windows)
Too late, already deprecated in version 5. Maybe someone will come up with an app to replace it.
It is my impression that FSchange was not working too good and stable on Windows, and that could be the reason for its deprecation.
However i agree With you and it will be intressting to see how they choose to solve this for the ESS and PCI apps.