{"id":111,"date":"2009-08-31T13:17:06","date_gmt":"2009-08-31T19:17:06","guid":{"rendered":"http:\/\/www.anthonyreinke.com\/?p=111"},"modified":"2009-08-31T13:17:06","modified_gmt":"2009-08-31T19:17:06","slug":"monitoring-the-filesystem-with-splunk","status":"publish","type":"post","link":"https:\/\/anthonyreinke.com\/index.php\/2009\/08\/31\/monitoring-the-filesystem-with-splunk\/","title":{"rendered":"Monitoring the Filesystem with Splunk"},"content":{"rendered":"<p>I have used OSSEC in the past to watch the file system for changes.\u00a0 When I found that I can have the Splunk agent handle the monitoring itself, I was pretty excited.\u00a0 Since I would send my OSSEC data to Splunk anyways, it just seemed logical to have Splunk do everything.<\/p>\n<p>In Windows, you need to edit the &#8220;c:program filesSplunketcsystemlocalinputs.conf&#8221; file.\u00a0 Of course your path could be different if you installed it in a different place.\u00a0 There are a lot of options and switches you can use.\u00a0 I went for the simplest set.<\/p>\n<p>[fschange:d:temp]<br \/>\nrecurse=true<br \/>\npollPeriod=3600<\/p>\n<p>This will monitor the d:temp folder and all files and folders under it.\u00a0 It will check the system every 3600 seconds (1 hour).<\/p>\n<p>This has helped me keep track of the changes in my servers.\u00a0 I can see when a file was add\/deleted\/changed (due to the hash) and then look at who was logged in during the period that the file was changed.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-115\" title=\"Splunk File Delete\" src=\"http:\/\/www.anthonyreinke.com\/wp-content\/uploads\/2009\/08\/Capture.JPG\" alt=\"Splunk File Delete\" width=\"600\" height=\"58\" \/><\/p>\n<p>Splunk article on the switches and FSCHANGE.<br \/>\n<a href=\"http:\/\/www.splunk.com\/base\/Documentation\/4.0.3\/Admin\/Monitorchangestoyourfilesystem\" target=\"_blank\">http:\/\/www.splunk.com\/base\/Documentation\/4.0.3\/Admin\/Monitorchangestoyourfilesystem<\/a><\/p>\n<div id=\"_mcePaste\" style=\"overflow: hidden; position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px;\">[fschange:d:temp]<br \/>\nrecurse=true<br \/>\nfollowLinks=false<br \/>\npollPeriod=60<\/div>\n","protected":false},"excerpt":{"rendered":"<p>I have used OSSEC in the past to watch the file system for changes.\u00a0 When I found that I can have the Splunk agent handle the monitoring itself, I was pretty excited.\u00a0 Since I would send my OSSEC data to Splunk anyways, it just seemed logical to have Splunk do everything. In Windows, you need [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-111","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/comments?post=111"}],"version-history":[{"count":0,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/111\/revisions"}],"wp:attachment":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/media?parent=111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/categories?post=111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/tags?post=111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}