- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitor a directory and run a script on a new file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitor a directory and run a script on a new file
Hi,
I'm a beginner Splunk user and I'm trying to use Splunk to monitor a nfs directory for new files and running a (python) script when a new file is added to the monitoring directory.
I am using the following fs stanza which seem to work but not sure how to run the script when a new file is created in that directory:
[fschange:$SPLUNK_HOME/etc]
poll every 10 minutes
pollPeriod = 600
generate audit events into the audit index instead of fschange events
signedaudit = true
recurse = true
followLinks = false
hashMaxSize = -1
fullEvent = false
sendEventMaxSize = -1
filesPerDelay = 10
delayInMills = 100
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the comment!
Indeed, inotify was my first option but the problems is that I don't have access to the NFS server and, as you mentioned, inotify will not trigger an event on a remote machine as this is a kernel feature.
Since we are already using Splunk, I thought this could help us with this issue. I've read that fschange monitors have been deprecated and now is recommended to use an auditd module in order to watch for these events but we're trying to come up with the simplest solution for this problem.
Did you have any success with an NFS file monitoring solution using inotify or something similar?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk may not be the correct tool for your use case.
First of all fschange monitors have been deprecated since Splunk 5 and could be removed at any time.
Second: Splunk is more about recording events, extracting information and correlating them. If you had something producing events into Splunk (like the fschange monitor) and you had a scheduled search on your search head, you could kick off custom alert action to execute your script from the search head, but that may not be what you're looking to do.
I am not as familiar as I should be with all the ins and outs of Phantom yet, however based on signals, they too can invoke playbook actions to automate tasks, but I'm not exactly sure of the mechanics there.
I suspect however, if you have access to the NFS server, you may be looking for an inotify based tool as have been suggested on this stack overflow question: https://stackoverflow.com/q/14692353/504685
But also if you don't have that sort of access to the NFS server you may run into issues, and are likely looking for a different solution: https://stackoverflow.com/a/4231277/504685
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
