This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
Splunk's file system change monitor is useful for tracking changes in your file system. The file system change monitor watches any directory you specify and generates an event (in Splunk) when that directory undergoes any change. It is completely configurable and can detect when any file on the system is edited, deleted or added (not just Splunk-specific files). For example, you can tell the file system change monitor to watch /etc/sysconfig/ and alert you any time the system's configurations are changed.
Configure file system change monitor in inputs.conf.
Note: If you're interested in auditing file reads on Windows, check out this topic on the Splunk Community best practices Wiki. Some users might find it more straightforward to use Windows native auditing tools.
The file system change monitor detects changes using:
You can configure the following features of the file system change monitor:
Caution: Do not configure the file system change monitor to monitor your root filesystem. This can be dangerous and time-consuming if directory recursion is enabled.
By default, the file system change monitor will generate events whenever the contents of $SPLUNK_HOME/etc/ are changed, deleted, or added to. When you start Splunk for the first time, an add audit event will be generated for each file in the $SPLUNK_HOME/etc/ directory and all sub-directories. Any time after that, any change in configuration (regardless of origin) will generate an audit event for the affected file(s). If you have signedaudit=true , the file system change audit event will be indexed into the audit index (index=_audit). If signedaudit is not turned on, by default, the events are written to the main index unless you specify another index.
Note: The file system change monitor does not track the user name of the account executing the change, only that a change has occurred. For user-level monitoring consider using native operating system audit tools, which have access to this information.
You can use the file system change monitor to watch any directory by adding a stanza to inputs.conf.
Create your own inputs.conf in $SPLUNK_HOME/etc/system/local/. Edit this files in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
Edit the [fschange] stanza to configure the file system change monitor. Every setting is optional except the stanza name fschange:<directory or file to monitor>.
Note: You must restart Splunk any time you make changes to the [fschange] stanza.
[fschange:<directory or file to monitor>] index=<indexname> recurse=<true | false> followLinks=<true | false> pollPeriod=N hashMaxSize=N fullEvent=<true | false> sendEventMaxSize=N signedaudit=<true | false> filters=<filter1>,<filter2>,...<filterN>
[fschange:<directory or file to monitor>]
$SPLUNK_HOME/etc/.
index=<indexname>
recurse=<true | false>
[fschange].
followLinks=<true | false>
Caution: If you are not careful with setting followLinks, file system loops may occur.
pollPeriod=N
hashMaxSize=N
signedaudit=<true | false>
Note: When setting signedaudit to true, make sure auditing is enabled in audit.conf.
fullEvent=<true | false>
sendEventMaxSize attribute.
sendEventMaxSize=N
sourcetype = <string>
filesPerDelay = <integer>
delayInMills = <integer>
filters=<filter1>,<filter2>,...<filterN>
Each of these filters will apply from left to right for each file or directory that is found during the monitors poll cycle.
To define a filter, add a [filter...] stanza as follows:
[filter:blacklist:backups] regex1 = .*bak regex2 = .*bk [filter:blacklist:code] regex1 = .*\.c regex2 = .*\.h [fschange:/etc] filters = backups,code
Fschange white/blacklist logic is handed similarly to typical firewalls. The events run down through the list of filters until they reach their first match. If the first filter to match an event is a whitelist, the event will be indexed. If the first filter to match an event is a blacklist, the event will not be indexed. If an event reaches the end of the chain with no matches, it will be indexed. This means that there is an implicit "all pass" built in. To default to a situation where events are *not* indexed if they don't match a whitelist explicitly, end the chain with a blacklist that will match all remaining events.
For example:
... filters = <filter1>, <filter2>, ... terminal-blacklist [filter:blacklist:terminal-blacklist] regex1 = .?
Important: If a directory is ever blacklisted *including via a terminal blacklist at the end of a series of whitelists*, then *all* its subfolders and files are automatically blacklisted and will not pass any whitelist. To accommodate this, whitelist all desired folders and subfolders explicitly ahead of the blacklist items in your filters.
This configuration monitors files in the specified directory with the extensions config, xml, properties, and log and ignores all others.
Note: In this example, a directory could be blacklisted. If this is the case, *all* its subfolders and files would automatically blacklisted as well--only files in the specified directory would be monitored.
[filter:whitelist:configs] regex1 = .*\.config regex2 = .*\.xml regex3 = .*\.properties regex4 = .*\.log [filter:blacklist:terminal-blacklist] regex1 = .? [fschange:/var/apache] index = sample recurse = true followLinks = false signedaudit = false fullEvent = true sendEventMaxSize = 1048576 delayInMills = 1000 filters = configs,terminal-blacklist