Getting Data In

issues with universal forwarder and file monitoring

plastiiq
Explorer

I'm trying to get the universal forwarder to monitor a particular executable. It would have been nice to do a hash compare but after all this time invested trying to get this to work, I'll settle for any monitoring and subsequent forwarding of the particular file.

The results should be forwarding to a splunk server.

Here is my inputs.conf:

[fschange://C:\myapp\myapp.exe]
pollPeriod = 60
signedaudit=false
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

The log shows the following entry:

11-14-2012 04:32:36.997 -0500 INFO PipelineComponent - Pipeline fschangemanager enabled
11-14-2012 04:32:36.997 -0500 INFO loader - Instantiated plugin: fschangemanagerprocessor
11-14-2012 04:32:36.997 -0500 WARN FSChangeMonitor - Monitoring file or directory that doesn't exist at startup time - //C:\myapp\myapp.exe

The file definitely exists and it is in the path.

does anyone have any idea where I could be going wrong?

Tags (1)
0 Karma

plastiiq
Explorer

just to add, the one single event it forwarded reads as follows:

Wed Nov 14 07:21:07 2012 action=add, path="\myapp\myapp.exe", isdir=0, size=1899520, gid=-1, uid=-1, modtime="Tue Oct 30 12:18:02 2012", mode="rwxrwxrwx", hash=

0 Karma

plastiiq
Explorer

actually it looks like I got one single entry forwarded, and then nothing else after hours.

I do see:

11-14-2012 07:25:29.893 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:29.893 -0500 INFO PipelineComponent - Pipeline fschangemanager enabled
11-14-2012 07:25:29.893 -0500 INFO loader - Instantiated plugin: fschangemanagerprocessor

11-14-2012 07:25:30.127 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:30.127 -0500 INFO PipelineComponent - Pipeline archivePipe enabled
11-14-2012 07:25:30.127 -0500 INFO loader - Instantiated plugin: archiveprocessor
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: queueoutputprocessor
11-14-2012 07:25:30.205 -0500 INFO PipelineComponent - Pipeline wineventlog enabled
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: wineventloginputprocessor
11-14-2012 07:25:30.205 -0500 INFO loader - Instantiated plugin: queueoutputprocessor

But no further mention of my file or my path.

Here is the current inputs.conf

[fschange C:\myapp\myapp.exe]
pollPeriod = 60
signedaudit=false
hashMaxSize=65535
fullEvent=true
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

0 Karma

sowings
Splunk Employee
Splunk Employee

Did you change the file?

0 Karma

plastiiq
Explorer

Thanks for the response.

I thought of removing the // previously only then it had appeared not to work at all and there were no log entries. I uninstalled, reinstalled the forwarder deleting the old paths and files; reconfigured and now it does in fact appear to work (sans the //)

Thanks so much!!

0 Karma

lguinn2
Legend

There is no // in the fschange spec:

[fschange:C:\myappmyapp.exe]

will probably work better. Good thinking on checking the log (and including it in your question). Few people do that, it seems.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...