Anthony Reinke Just getting a few things out of my head

31Aug/090

Monitoring the Filesystem with Splunk

I have used OSSEC in the past to watch the file system for changes.  When I found that I can have the Splunk agent handle the monitoring itself, I was pretty excited.  Since I would send my OSSEC data to Splunk anyways, it just seemed logical to have Splunk do everything.

In Windows, you need to edit the "c:\program files\Splunk\etc\system\local\inputs.conf" file.  Of course your path could be different if you installed it in a different place.  There are a lot of options and switches you can use.  I went for the simplest set.

[fschange:d:\temp\]
recurse=true
pollPeriod=3600

This will monitor the d:\temp\ folder and all files and folders under it.  It will check the system every 3600 seconds (1 hour).

This has helped me keep track of the changes in my servers.  I can see when a file was add/deleted/changed (due to the hash) and then look at who was logged in during the period that the file was changed.

Splunk File Delete

Splunk article on the switches and FSCHANGE.
http://www.splunk.com/base/Documentation/4.0.3/Admin/Monitorchangestoyourfilesystem

[fschange:d:\temp\]
recurse=true
followLinks=false
pollPeriod=60
Tagged as: , , , , , , , No Comments
20Jun/091

Life as a G33k

I am sitting here on my main desktop writing this.  On one tab of FireFox I have my Facebook open.  On the next tab I have this page open.  I have my uTorrent runningin the background.  My laptop sits next to me with a VPN connection in to work.  I am running scripts and adding accounts in to group and verifying that the servers got the correct grouping.  My IDS is humming along.  My ESXi server is pumping out the heat as the server tries to keep the 8 processors cool.  I have 4 IM windows up on the laptop and 3 chat windows in facebook.  I have 7 command prompt windows pinging servers asking them if they are still up.

It is now 1:35am and I have been up since 5:30am the day before.  No worries, I got my energy drink (Monster Khaos).  Odds are I will be in to work between 9 and 10am.  Why?  Because I have 40 tickets to complete and more to be assigned.

Such is the life of a geek.
B-)

Tagged as: , , , , , , , , , , , , , , , , , , , , , , 1 Comment
   

Archives

Tags

administrator blog chat clever cmd coach command prompt computer create daily delete desktop drink energy energy drink esxi event firefox first page hack hello help id idea ids linux new ossec practice report security server splunk start system ted user vent video website windows witulski wordpress work wrestling

Begging for money

Search & Win