I need to monitor file changes and I want to know which changes were made.
inputs.conf
[fschange:///etc/passwd]
disabled = 0
fullEvent = true
sendEventMaxSize = -1
pollPeriod = 10
hashMaxSize = -1
index=unixsrv
sourcetype=linux_configfile
I can't see the difference between results if I used inputs.conf with stanza fullEvent=true and without it.
Result is always the same:
Tue Feb 23 14:45:14 2016
action=update,
path="///etc/passwd",
isdir=0,
size=1771,
gid=0, uid=0,
modtime="Tue Feb 23 14:45:11 2016",
mode="rw-r--r--",
hash=,
chgs="modtime "
I would like to have the full passwd file.
I thought the "fullEvent" parameter was just for that, but it looks like it isn't.
What am I doing wrong?
Thanks
Do not use this feature; it is discontinued:
Do not use this feature; it is discontinued: