- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- fschange with universal Forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey guys, I've seen a couple of similar questions to mine but nothing has helped. I have a very simple edit in the inputs.conf of my Universal Forwarder on a Windows Server.
It has in it;
[default]
host = server2003-splu
[fschange:C:\Program Files\]
index = _audit
signedaudit = false
#pollPeriod = 1
#hashMaxSize = 10485760
#fullEvent = true
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0
Any reason why when i do a search
index=_audit sourcetype=fs_notification host=server2003-splu
it doesn't come back with anything even after adding, changing and deleting files and folders in the Program Files directory?
Thanks for any help you can give me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works now. Same config, same search nothing changed. It was a stupid mistake after all, the Universal Forwarder was not being restarted properly.
Answer:
Make sure you restart the server properly
C:\Program Files\SplunkUniversalForwarder\bin>splunk.exe restart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works now. Same config, same search nothing changed. It was a stupid mistake after all, the Universal Forwarder was not being restarted properly.
Answer:
Make sure you restart the server properly
C:\Program Files\SplunkUniversalForwarder\bin>splunk.exe restart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, I didn't mean to sound pushy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your question was posted only an hour ago. You can't expect people doing this on their spare time to always see and respond to the question immediately...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The sourcetype should be fs_notification, not fs_notifications. Also you have a typo in the stanza below (diasbled instead of disabled), though that shouldn't affect the fschange stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, thanks for your answer, but that's a typo on my behalf, any query I use to search does not bring any results (I'll edit the question with the right search parameters though thanks for pointing it out)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No one knows how I can change my file to make it work? I don't mind rewriting it if someone thinks it needs to be changed completely
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
