Monitoring the Filesystem with Splunk

I have used OSSEC in the past to watch the file system for changes.  When I found that I can have the Splunk agent handle the monitoring itself, I was pretty excited.  Since I would send my OSSEC data to Splunk anyways, it just seemed logical to have Splunk do everything.

In Windows, you need to edit the “c:program filesSplunketcsystemlocalinputs.conf” file.  Of course your path could be different if you installed it in a different place.  There are a lot of options and switches you can use.  I went for the simplest set.

[fschange:d:temp]
recurse=true
pollPeriod=3600

This will monitor the d:temp folder and all files and folders under it.  It will check the system every 3600 seconds (1 hour).

This has helped me keep track of the changes in my servers.  I can see when a file was add/deleted/changed (due to the hash) and then look at who was logged in during the period that the file was changed.

Splunk File Delete

Splunk article on the switches and FSCHANGE.
http://www.splunk.com/base/Documentation/4.0.3/Admin/Monitorchangestoyourfilesystem

[fschange:d:temp]
recurse=true
followLinks=false
pollPeriod=60

Leave a Reply

Your email address will not be published. Required fields are marked *