Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Monitor file system changes on Windows

Splunk Enterprise supports the monitoring of Windows file system changes through the Security Event Log channel. To enable monitoring of changes to files and directories, you first enable security auditing for the file(s) and folders you want to monitor for changes, then use Splunk's event log monitor to monitor the Security event log channel.

This procedure of monitoring file system changes replaces the deprecated file system change monitor input.

What's required to monitor file system changes?

Activity: Required permissions:
Monitor file system changes
  • Splunk must run on Windows AND
  • Splunk must run as the Local System user OR as a domain user with specific security policy rights to read the Security event log AND
  • You must enable security auditing for the file(s) or director(ies) you want Splunk to monitor changes to

Use the Security event log to monitor changes to files

You can monitor changes to files on your system by enabling security auditing on a set of files and/or directories and then monitoring the Security event log channel for change events. The event log monitoring input includes three attributes which you can use in inputs.conf:

Attribute Description Default
whitelist Tells Splunk to index events which contain the specified ID codes. You can specify ranges of codes by using hyphens and commas. A hyphen defines a range of ID codes (for example, 0-2000 means "ID codes 0 through 2000") and a comma separates multiple ranges. N/A
blacklist Tells Splunk not to index events which contain the specified ID codes. You can specify ranges of codes by using hyphens and commas. A hyphen defines a range of ID codes (for example, 0-2000 means "ID codes 0 through 2000") and a comma separates multiple ranges. N/A
suppress_text Tells Splunk whether or not to include the message text that comes with a security event. A value of 1 suppresses the message text, and a value of 0 preserves the text. 0

Note: You can use these attributes outside of the context of the Security event log and file system changes. Also, this list of attributes is only a subset of the available attributes for inputs.conf. For additional attributes, read "Monitor Windows event log data" in this manual.

Monitor file system changes

To monitor file system changes for a set of files or directories:

1. Follow the instructions at "Auditing Security Events How To" (http://technet.microsoft.com/en-us/library/cc727935%28v=ws.10%29.aspx) on MS Technet to enable security auditing.

Important: You must have administrator privileges to perform this task.

2. Configure the Splunk event log monitor input to monitor the Security event log channel.

Note: For specific instructions on how to configure the Event Long monitor input, read "Monitor Windows event log data" in this manual.

Examples

Following are inputs.conf stanzas which show examples of how to monitor file system changes.

This stanza collects security events with event ID codes 0 to 2000 and 3001-10000.

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs.
whitelist = 0-2000,2001-10000
# exclude these event IDs from being indexed.
blacklist = 2001-3000

This stanza collects security events with event ID codes 0 to 2000 and 3001-10000. It also suppresses the message text that comes in the event ID.

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# suppress message text, we only want the event number.
suppress_text = 1
# only index events with these event IDs.
whitelist = 0-2000,2001-10000
# exclude these event IDs from being indexed.
blacklist = 2001-3000
PREVIOUS
Monitor Windows event log data
  NEXT
Monitor WMI-based data

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters