Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

FS Change keeps adding and deleting files from monitoring

jdunlea_splunk
Splunk Employee
Splunk Employee
‎02-15-2012 01:31 PM

I am monitoring /etc/hosts.allow and /etc/hosts.deny for change, with a poll period of 300 seconds.

[fschange:/etc/hosts.allow]
index = fschange_main
pollPeriod = 300

[fschange:/etc/hosts.deny]
index = fschange_main
pollPeriod = 300

For some reason, every poll period (5 mins) I get 2 events for each file.... one with "action=add" and another with "action=delete"..... as I said, this keeps happening once per poll period.

Can someone tell me what is wrong? I do not have duplicate fschange stanzas for those files.

Thanks!

John

Reply

daniel333
Builder
‎05-10-2018 03:16 PM

Was there ever a fix to this? Seems like a weird problem to have other files are working great

0 Karma
Reply

bosburn_splunk
Splunk Employee
Splunk Employee
‎08-07-2013 03:32 PM

This is a known issue. It's unknown if / when it will be fixed since fschange is a deprecated feather.

0 Karma
Reply

flo_cognosec
Communicator
‎08-07-2013 08:43 AM

Yep, here too 😞

0 Karma
Reply

gavin1_davenpor
Path Finder
‎01-31-2013 08:52 AM

bump. Happening here too.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...