All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SplunkLightForwarder + nix app + fschange, can this work?

bbeveridge
Engager
‎05-09-2010 10:57 PM

SplunkLightForwarder + nix app + fschange, can this work?

From what i read, when enabling the light forwarder it disables the fschange module.

In my scenario, having to use the full forwarder to get those above 2 things seems rather overkill.

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-10-2010 05:08 AM

I don't know why people keep saying that enabling the light forwarder disables fschange. It does not. (If you wouldn't mind linking to where you read that, I will have it corrected.)

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-10-2010 05:08 AM

I don't know why people keep saying that enabling the light forwarder disables fschange. It does not. (If you wouldn't mind linking to where you read that, I will have it corrected.)

Reply
Solved! Jump to solution

Jason
Motivator
‎08-24-2010 04:59 PM

It sounds as if there is a bug with light forwarder and fschange. From Known Issues at http://www.splunk.com/base/Documentation/latest/ReleaseNotes/Knownissues : When configuring file system change monitor (fschange) on a forwarder, if signedaudit = true and index=_audit are not explicitly set, fschange events do not get forwarded. (SPL-25294) Also in Answers http://answers.splunk.com/questions/2882/using-fschange-to-monitor-windows-filesystem

0 Karma
Reply
Solved! Jump to solution

bbeveridge
Engager
‎05-10-2010 06:19 AM

looks like i was referencing non official documenation on the limitations of the light forwarder, it looks like splunk 3.x had this limitation based on: http://www.splunk.com/base/index.php?title=Documentation:Tmp:EnableTheSplunkForwarderOrLightForwarde...

and id also seen it mentioned on numerous forum/wikis

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...