Monitoring the Filesystem with Splunk
I have used OSSEC in the past to watch the file system for changes. When I found that I can have the Splunk agent handle the monitoring itself, I was pretty excited. Since I would send my OSSEC data to Splunk anyways, it just seemed logical to have Splunk do everything.
In Windows, you need to edit the "c:\program files\Splunk\etc\system\local\inputs.conf" file. Of course your path could be different if you installed it in a different place. There are a lot of options and switches you can use. I went for the simplest set.
[fschange:d:\temp\]
recurse=true
pollPeriod=3600
This will monitor the d:\temp\ folder and all files and folders under it. It will check the system every 3600 seconds (1 hour).
This has helped me keep track of the changes in my servers. I can see when a file was add/deleted/changed (due to the hash) and then look at who was logged in during the period that the file was changed.
Splunk article on the switches and FSCHANGE.
http://www.splunk.com/base/Documentation/4.0.3/Admin/Monitorchangestoyourfilesystem
recurse=true
followLinks=false
pollPeriod=60
Archives
- August 2010 (2)
- July 2010 (3)
- May 2010 (3)
- March 2010 (2)
- February 2010 (4)
- January 2010 (5)
- December 2009 (5)
- November 2009 (2)
- October 2009 (2)
- September 2009 (3)
- August 2009 (1)
- July 2009 (3)
- June 2009 (8)
Tags
Begging for money
