Hello everyone !
I need to audit when someone edit the "test" file in the followings paths, for example:
opt/tomcat/webapps/file1/file2/file/ nano test
and
nano opt/tomcat/webapps/file1/file2/file/ test
In the first case I see the event made on test file, but in the second one I do not see any event registered.
What I should modify in the syslog to register both events in splunk?
Thanks in advance ! 🙂
Hi @trinidad,
probably it's a trascriction error, but there's a space between the path and the filename.
Anyway, insert in your search the string to search:
index=my_index ("opt/tomcat/webapps/file1/file2/file/ nano test" OR "nano opt/tomcat/webapps/file1/file2/file/test")
| ...
Ciao.
Giuseppe