Solved: fschange not picking up changes for all subfolders

snowmizer · ‎07-12-2010

I would like to setup file system change monitoring on my Windows server (using fschange) where my users private folders reside (e.g. F:\MyUsers). I have configured the inputs.conf file on my server where Splunk is running. I restarted Splunk (also rebooted the Splunk server).

I then created a text file in my own folder (F:\MyUsers\myuserfolder). I also tried modifying an existing file in this folder. Splunk doesn't pick up my changes. However when I search the index where I'm placing these events I see events for a few users (e.g. F:\MyUsers\jdoefolder). I verified permissions. Administratively the permissions are the same across all folders.

Why would Splunk not index changes from all subfolders?

Thanks.

Branden · ‎08-12-2010

I am pretty new to fschange, but in your inputs.conf do you have "recurse=true" set? I'm guessing you do since it's picking up other users' changes, but I figure it's worth a shot!

View solution in original post

Branden · ‎08-12-2010

I am pretty new to fschange, but in your inputs.conf do you have "recurse=true" set? I'm guessing you do since it's picking up other users' changes, but I figure it's worth a shot!

snowmizer · ‎08-13-2010

I went back and re-verified the permissions on the folders. Turns out we have two different administrative permissions set. When you first glance at them they look the same but they aren't.

Thanks for the reply.

fschange not picking up changes for all subfolders

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!