I'm using 4.0.9. Does anyone know how to fix this? File integrity monitoring isn't very useful if you can't tell who changed the file
The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Forums: SplunkAdministration: File Integrity gid=-1, uid=-1 on Windows
Previous Topic: Best way stop "sample_app" logs events from being forwarded to the primary indexer | Next Topic: How to index only certain events from IIS weblogs?
Posts 1–2 of 2
Unfortunately there is no way to fix this. (Even on non-Windows, gid and uid only return the group/owner of the file, not who made the change.) In Windows it simply does not report on changes to ownership at all. This is something you might file as an enhancement request.
The monitoring simply takes a snapshot of the state of the file (and mod time) at certain intervals and reports if any of those changed. It does not detect when a change was actually made, nor by whom.
However, for this purpose, people can and do enable Windows File Auditing. This creates entries in the Windows Security Event Log which can be captured by Splunk and reported on there. The entries are not quite as clear as to the types of changes that occur, and honestly some writes to a file turn out to generate multiple entries in the Windows audit log, but it does capture that information.
These could be correlated using the fie name and approximate time of the changes, if you are capturing the file content with fschange.