- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Need assistance with getting fschange to work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a universal forwarder sending logs to Splunk and with monitor, everything is working just fine. However, I thought I'd test out fschange to log file system modifications on some of my Linux hosts. To that end I've modified the $SPLUNK/etc/system/local/inputs.conf so it reads as follows:
[default]
host = Hostname
[filter:whitelist:configs]
regex1 = .*\.txt
[filter:blacklist:terminal-blacklist]
regex1 = .?
[fschange:/path/to/dir]
index = _audit
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000
filters = configs,terminal-blacklist
This sample was taken directly from http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Monitorchangestoyourfilesystem
With the above configuration I would expect that any changes to a txt file in the monitored directory would be logged. However, if I make a change to a txt file in that directory, no log entry is observed in Splunk.
I'm running Splunk 4.3.3, UF 4.3.4, and have the nix Technology Add-on installed (I need this).
Any help would be appreciated as I'm sure it's something small that I've overlooked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What search syntax are you using when trying to find this event?
It is likely that the _audit index is not being searched by default, so if you searched "index=_audit sourcetype=fs_notification" or "index=_audit sourcetype=audittrail", depending on your deployment(see bottom of http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Monitorchangestoyourfilesystem) you would probably see the events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What search syntax are you using when trying to find this event?
It is likely that the _audit index is not being searched by default, so if you searched "index=_audit sourcetype=fs_notification" or "index=_audit sourcetype=audittrail", depending on your deployment(see bottom of http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Monitorchangestoyourfilesystem) you would probably see the events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was it, thanks for the help adamw!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
