Solved: Monitor empty files?

ftk · ‎04-16-2013

I have a business need to monitor 0 kb files. I can get this to work using fschange, however with fschange being deprecated in 5.x this is not a viable option. I would prefer using monitor rather than a script, and only want to index new files, with the system time being used as timestamp (DATETIME_CONFIG=CURRENT).

Any ideas?

bmacias84 · ‎07-23-2013

If you don't want to use a script or a modular input then Windows Security Auditing. You will have to monitor the Security Event Logs. The Windows Security Event logs can be really noisy, so you might have to build some transforms to filter data.

On your windows Server right click folder/directory. Select Properties
Click Security Tab. Click Advanced.
Click Auditing Tab. Click Edit
Click Add...
For Object Name enter: EVERYONE. Click Check Name. Click OK
Managing audit Windows will appear. Check Successful and Failed for the following accesses: Create Files/ Write data; Create folders / append data; Delete subfolders and files; delete

This should give you what you need. Though its been a while so you going to have dig up the EventID corresponding to the create/append/delte of a file. Think it might be 560, 4616. Also you may need to turn on Audit object access through Local Group Policy.

Additional info:

http://whatevernetworks.com/?p=108

Hope this helps or gets you started. If you have additional question I'll try to help.

View solution in original post

ben_leung · ‎09-09-2014

I have the same situation where we have to monitor files that are 0kb. The forwarder hangs during this time and creates a lag time for any other files to be monitored. This is in a linux base OS. How would you resolve the hang time?

bmacias84 · ‎07-23-2013

If you don't want to use a script or a modular input then Windows Security Auditing. You will have to monitor the Security Event Logs. The Windows Security Event logs can be really noisy, so you might have to build some transforms to filter data.

On your windows Server right click folder/directory. Select Properties
Click Security Tab. Click Advanced.
Click Auditing Tab. Click Edit
Click Add...
For Object Name enter: EVERYONE. Click Check Name. Click OK
Managing audit Windows will appear. Check Successful and Failed for the following accesses: Create Files/ Write data; Create folders / append data; Delete subfolders and files; delete

This should give you what you need. Though its been a while so you going to have dig up the EventID corresponding to the create/append/delte of a file. Think it might be 560, 4616. Also you may need to turn on Audit object access through Local Group Policy.

Additional info:

http://whatevernetworks.com/?p=108

Hope this helps or gets you started. If you have additional question I'll try to help.

ftk · ‎07-24-2013

That's a great idea. Not sure why I didn't think of that since we are using the SACLs for FIM already...thanks!

ftk · ‎07-23-2013

The files never grow. They are being used as a simple flag by the vendor, i.e. ABCD.zip will receive ABCD.done at 0 kb length to flag the file as processed.

gregbujak · ‎07-23-2013

Do these files grow? Do you need to know that they stayed empty and you want to know when they start growing? Or is it a simple flag that indicates something happened?

ftk · ‎07-23-2013

OS is Windows 2008.

bmacias84 · ‎04-16-2013

This will vary depending on OS. Which OS are you trying to do this for?

Monitor empty files?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk