From Splunk Wiki

Jump to: navigation, search

Deploy:How To Setup fschange with fullEvent in UF and Indexer

Please be aware that fschange feature was deprecated in v5.0
Splunk recommends to use OS native audit service which runs in kernel space, instead of Splunk which run a user space.
fschange monitors files and directories and generate events when they are created/updated/deleted. fullEvent attributes index the file when fschange detect any change in the file. "monitor" and "fschange" cannot go together for same directories.

When fschange is enabled in UF, we have to do a little bit more configurations. This is an example when you want to change sourcetype for fullEvent file when it is sent from a UF. Please note that there is a bug around a custom index for fschange. Sometimes you might encounter seeing more add/delete fschangemonitor events even where there is no such file system change happening. There is no good workaround when this happens. So, if you encounter this bug, you should move to an OS based audit service

# fschange at UF/LWF
# For index = <custom> at the indexer
# and send fullEvent
# At the indexer side, need to use LINE_BREAKER to parse a whole file

1. @UF, configure inputs.conf

- inputs.conf
#poll every 30 sec
pollPeriod = 30
#generate audit events into the audit index, instead of fschange events
signedaudit = false
index = uf-fschange
sourcetype = uf-fschange
# Default 
# (Do not add a default value as a good practice unless you need to change.)

2. (option) @UF, configure sourcetype for "fullEvent" if you would like to

- props.conf
sourcetype = change
# The following is an option, not required at all
# The following one is default. So no need to edit this.

3. @Indexer, configure props.conf

- props.conf
TRUNCATE = 200000

4. @Indexer, add index db called uf-fschange in indexes.conf

- indexes.conf
coldPath = $SPLUNK_DB/uf-fschange/colddb
homePath = $SPLUNK_DB/uf-fschange/db
thawedPath = $SPLUNK_DB/uf-fschange/thaweddb
maxTotalDataSizeMB = 5000

5. Expected Result when you edit a props.conf at UF
# $SPL432/bin/splunk search "index=uf-fschange | head 3 | table source sourcetype host " -auth admin:changeme
                         source                           sourcetype        host
--------------------------------------------------------- ----------  -------------------
fschangemonitor                                           uf-fschange centos62-64sup02-uf (props.conf update)
/home/masa/splunkforwarder432/etc/system/local/props.conf change      centos62-64sup02-uf (sourcetype was changed)
fschangemonitor                                           uf-fschange centos62-64sup02-uf (parent dir. update)

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk