Getting Data In

FSCHANGE recurse issue

chaben
Engager

Hello,

I want to watch .so .bin files in the /etc/security and its subfolders.

I applied a whitelist filter and a blacklist filter:

[filter:whitelist:whitelist_f]
regex1 = (.+.so$|.+.bin$)
[filter:blacklist:blacklist_f]
regex1 = .*

Paramètres du File System Change Monitor pour le dossier /etc

[fschange:/etc/security/]
recurse = true
filters = whitelist_f,blacklist_f

Result : i can see the .so and .bin on /etc/security and not in the subfolders.

I guess that fschange apply the filters on the subfolders name too.
I tried to write some regex to include some subfolders but i dont get the waited result.

example of tried regex :

regex1 = ^/etc/security/*/(.+.so$|.+.bin)$

regex1 = ^/etc/security/.../(.+.so$|.+.bin)$

regex1 = ^/etc/security/(.+.so$|.+.bin)$

Any idea is welcome,

Thanks in advance,

Chaben

Tags (3)

chaben
Engager

Thanks for your reply lukejadamec, i tried on Splunk Enterprise 6 but it doesn't work: No file added.

0 Karma

lukejadamec
Super Champion

I believe you need to make the change in the source, not the regex:

[fschange:/etc/security/...]

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...