Hi,
I would like to check for changes to some config files on the /etc directory on a bunch of servers. I have this entry in the inputs.conf file:
[fschange:/etc/]
index=volatile
sourcetype=linux_configfile
pollPeriod = 360
sendEventMaxSize=-1
fullEvent = true
filters=systemfiles,terminal-blacklist
[filter:whitelist:systemfiles]
regex1 = passwd
regex2 = shadow
regex3 = group
[filter:blacklist:terminal-blacklist]
regex1 = .?
It is working, as any changes are logged and sent to the central splunk server. The issue is that I am getting this event only:
Thu Feb 24 17:07:40 2011 action=update, path="/etc/passwd", isdir=0, size=2338, gid=0, uid=0, modtime="Thu Feb 24 17:07:40 2011", mode="rw-r--r--", hash=, chgs="modtime "
And I would like to have the full file. I thought the "fullEvent" parameter was just for that, but it looks like it isn't.
What am I doing wrong?
Many thanks
Oscar
This answer should help:
http://answers.splunk.com/questions/7081/fschange-fulleventtrue-but-no-full-event
Um, I am still only getting the event with the nature of the change, but not the complete file, that is what I am looking for...