Getting Data In

Monitor empty files?

ftk
Motivator

I have a business need to monitor 0 kb files. I can get this to work using fschange, however with fschange being deprecated in 5.x this is not a viable option. I would prefer using monitor rather than a script, and only want to index new files, with the system time being used as timestamp (DATETIME_CONFIG=CURRENT).

Any ideas?

1 Solution

bmacias84
Champion

If you don't want to use a script or a modular input then Windows Security Auditing. You will have to monitor the Security Event Logs. The Windows Security Event logs can be really noisy, so you might have to build some transforms to filter data.

  1. On your windows Server right click folder/directory. Select Properties
  2. Click Security Tab. Click Advanced.
  3. Click Auditing Tab. Click Edit
  4. Click Add...
  5. For Object Name enter: EVERYONE. Click Check Name. Click OK
  6. Managing audit Windows will appear. Check Successful and Failed for the following accesses: Create Files/ Write data; Create folders / append data; Delete subfolders and files; delete

This should give you what you need. Though its been a while so you going to have dig up the EventID corresponding to the create/append/delte of a file. Think it might be 560, 4616. Also you may need to turn on Audit object access through Local Group Policy.

Additional info:

Hope this helps or gets you started. If you have additional question I'll try to help.

View solution in original post

ben_leung
Builder

I have the same situation where we have to monitor files that are 0kb. The forwarder hangs during this time and creates a lag time for any other files to be monitored. This is in a linux base OS. How would you resolve the hang time?

0 Karma

bmacias84
Champion

If you don't want to use a script or a modular input then Windows Security Auditing. You will have to monitor the Security Event Logs. The Windows Security Event logs can be really noisy, so you might have to build some transforms to filter data.

  1. On your windows Server right click folder/directory. Select Properties
  2. Click Security Tab. Click Advanced.
  3. Click Auditing Tab. Click Edit
  4. Click Add...
  5. For Object Name enter: EVERYONE. Click Check Name. Click OK
  6. Managing audit Windows will appear. Check Successful and Failed for the following accesses: Create Files/ Write data; Create folders / append data; Delete subfolders and files; delete

This should give you what you need. Though its been a while so you going to have dig up the EventID corresponding to the create/append/delte of a file. Think it might be 560, 4616. Also you may need to turn on Audit object access through Local Group Policy.

Additional info:

Hope this helps or gets you started. If you have additional question I'll try to help.

ftk
Motivator

That's a great idea. Not sure why I didn't think of that since we are using the SACLs for FIM already...thanks!

0 Karma

ftk
Motivator

The files never grow. They are being used as a simple flag by the vendor, i.e. ABCD.zip will receive ABCD.done at 0 kb length to flag the file as processed.

0 Karma

gregbujak
Path Finder

Do these files grow? Do you need to know that they stayed empty and you want to know when they start growing? Or is it a simple flag that indicates something happened?

0 Karma

ftk
Motivator

OS is Windows 2008.

0 Karma

bmacias84
Champion

This will vary depending on OS. Which OS are you trying to do this for?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...