From Splunk Wiki
Deploy:How To Setup fschange with fullEvent in UF and Indexer
Please be aware that fschange feature was deprecated in v5.0
Splunk recommends to use OS native audit service which runs in kernel space, instead of Splunk which run a user space.
fschange monitors files and directories and generate events when they are created/updated/deleted. fullEvent attributes index the file when fschange detect any change in the file. "monitor" and "fschange" cannot go together for same directories.
When fschange is enabled in UF, we have to do a little bit more configurations. This is an example when you want to change sourcetype for fullEvent file when it is sent from a UF. Please note that there is a bug around a custom index for fschange. Sometimes you might encounter seeing more add/delete fschangemonitor events even where there is no such file system change happening. There is no good workaround when this happens. So, if you encounter this bug, you should move to an OS based audit service
# # fschange at UF/LWF # For index = <custom> at the indexer # and send fullEvent # At the indexer side, need to use LINE_BREAKER to parse a whole file # 1. @UF, configure inputs.conf - inputs.conf [fschange:$SPLUNK_HOME/etc] #poll every 30 sec pollPeriod = 30 #generate audit events into the audit index, instead of fschange events signedaudit = false index = uf-fschange sourcetype = uf-fschange fullEvent=true # Default # (Do not add a default value as a good practice unless you need to change.) #recurse=true #followLinks=false #hashMaxSize=-1 #sendEventMaxSize=-1 2. (option) @UF, configure sourcetype for "fullEvent" if you would like to - props.conf [source::/home/masa/splunkforwarder432/etc/...] sourcetype = change # The following is an option, not required at all LEARN_SOURCETYPE = false # The following one is default. So no need to edit this. LEARN_MODEL = false 3. @Indexer, configure props.conf - props.conf [source::/home/masa/splunkforwarder432/etc/...] LINE_BREAKER = ((?!)) TRUNCATE = 200000 SHOULD_LINEMERGE = false 4. @Indexer, add index db called uf-fschange in indexes.conf - indexes.conf [uf-fschange] coldPath = $SPLUNK_DB/uf-fschange/colddb homePath = $SPLUNK_DB/uf-fschange/db thawedPath = $SPLUNK_DB/uf-fschange/thaweddb maxTotalDataSizeMB = 5000 5. Expected Result when you edit a props.conf at UF # $SPL432/bin/splunk search "index=uf-fschange | head 3 | table source sourcetype host " -auth admin:changeme source sourcetype host --------------------------------------------------------- ---------- ------------------- fschangemonitor uf-fschange centos62-64sup02-uf (props.conf update) /home/masa/splunkforwarder432/etc/system/local/props.conf change centos62-64sup02-uf (sourcetype was changed) fschangemonitor uf-fschange centos62-64sup02-uf (parent dir. update)