Related Answers
Download topic as PDF
Monitor file system changes
Splunk Enterprise supports the monitoring of Windows file system changes through the Security Event Log channel. File change monitoring requires the enabling of security auditing for the files and folders you want to monitor for changes and using the Event Log monitor to monitor the Security event log channel. This procedure of monitoring file system changes replaces the deprecated file system change monitor input.
If you have Splunk Cloud and want to monitor Windows file system changes through the Security Event Log channel, use the Splunk Universal Forwarder.
What do you need to monitor file system changes?
| Activity: | Required permissions: |
|---|---|
| Monitor file system changes |
|
Use the Security event log to monitor changes to files
You can monitor changes to files on your system by enabling security auditing on a set of files and/or directories and then monitoring the Security event log channel for change events. The event log monitoring input includes three attributes which you can use in inputs.conf.
You can use these attributes outside of the context of the Security event log and file system changes. Also, this list of attributes is only a subset of the available attributes for inputs.conf. For additional attributes, read Monitor Windows event log data in this manual.
| Attribute | Description | Default |
|---|---|---|
whitelist
|
Index events that match the text string specified. This attribute is optional.
You can specify one of two formats:
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza. Splunk Enterprise processes whitelists first, then blacklists. If no whitelist is present, Splunk Enterprise indexes all events. When using the Event Code/ID format:
When using the advanced filtering format:
|
N/A |
blacklist
|
Do not ndex events that match the text string specified. This attribute is optional.
You can specify one of two formats:
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza. Splunk Enterprise processes whitelists first, then blacklists. If no whitelist is present, Splunk Enterprise indexes all events. When using the Event Code/ID format:
When using the advanced filtering format:
|
N/A |
suppress_text
|
Whether or not to include the message text that comes with a security event.
A value of 1 suppresses the message text. A value of 0 preserves the text. |
0 |
Create advanced filters with whitelist and blacklist
You can perform advanced filtering of incoming events with the whitelist and blacklist attributes in addition to filtering based solely on event codes. To do this, specify the key/regular expression format in the attribute:
whitelist = key=<regular expression> [key=<regular expression] ...
In this format, key is a valid entry from the following list:
| Key | Description |
|---|---|
| $TimeGenerated | The time that the computer generated the event. Only generates the time string as the event. |
| $Timestamp | The time that the event was received and recorded by the Event Log service. Splunk Enterprise only generates the time string as the event. |
| Category | The category number for a specific event source. |
| CategoryString | A string translation of the category. The translation depends on the event source. |
| ComputerName | The name of the computer that generated the event. |
| EventCode | The event ID number for an event. Corresponds to "Event ID" in Event Viewer. |
| EventType | A numeric value that represents one of the five types of events that can be logged ("Error", "Warning", "Information", "Success Audit", and "Failure Audit".) Available only on server machines running Windows Server 2003 and earlier or clients running Windows XP and earlier. See Win32_NTLogEvent class (Windows) (http://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx) on MSDN. |
| Keywords | An element used to classify different types of events within an event log channel. The Security Event Log channel has this element, for example. |
| LogName | The name of the Event Log channel that received the event. Corresponds to "Log Name" in Event Viewer. |
| Message | The text of the message in the event. |
| OpCode | The severity level of the event ("OpCode" in Event Viewer.) |
| RecordNumber | The Windows Event Log record number. Each event on a Windows server gets a record number. This number starts at 0 with the first event generated on the system, and increases with each new event generated, until it reached a maximum of 4294967295. It then rolls back over to 0. |
| Sid | The Security Identifier (SID) of the principal (such as a user, group, computer, or other entity) that was associated with or generated the event. See Win32_UserAccount class (http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507%28v=vs.85%29.aspx) on MSDN. |
| SidType | A numeric value that represents the type of SID that was associated with the event. See Win32_UserAccount class (http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507%28v=vs.85%29.aspx) on MSDN. |
| SourceName | The source of the entity that generated the event ("Source" in Event Viewer) |
| TaskCategory | The task category of the event. Event sources allow you to define categories so that you can filter them with Event Viewer (using the "Task Category" field. See Event Categories (Windows) (http://msdn.microsoft.com/en-us/library/aa363649%28VS.85%29.aspx) on MSDN. |
| Type | A numeric value that represents one of the the five types of events that can be logged ("Error", "Warning", "Information", "Success Audit", and "Failure Audit".) Only available on server machines that run Windows Server 2008 or later, or clients that run Windows Vista or later. See Win32_NTLogEvent class (Windows) (http://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx) on MSDN. |
| User | The user associated with the event. Correlates to "User" in Event Viewer. |
<regular expression> is any valid regular expression that represents the filters that you want to include (when used with the whitelist attribute) or exclude (when used with the blacklist attribute).
To learn more about regular expressions and how to use them, visit the Regularexpressions.info (http://www.regular-expressions.info) website.
You can specify more than one regular expression on a single entry line. Only events that satisfy all of the entries on the line are included or excluded. For example, this entry:
whitelist = EventCode="^1([0-5])$" Message="^Error"
means to include events that have an EventCode ranging from 10 to 15 and contain a Message that begins with the word Error.
You can specify up to 10 separate whitelist or blacklist entries in each stanza. To do so, add a number at the end of the whitelist or blacklist entry on a separate line:
whitelist = key=<regular expression> whitelist1 = key=<regular expression> key2=<regular expression 2> whitelist2 = key=<regular expression>
You cannot specify an entry that has more than one expression that references the same key. If, for example, you specify:
whitelist = EventCode="^1([0-5])$" EventCode="^2([0-5])$"
Splunk software ignores the first expression and only attempts to include events that match the second expression. In this case, only events that contain an EventCode between 20 and 25 match. Events that contain an EventCode between 10 and 15 do not match. Only the last expression in the entry ever matches.
To resolve this problem, specify two separate entries in the stanza:
whitelist = EventCode="^1([0-5])$" whitelist1 = EventCode="^2([0-5])$"
Monitor file system changes
- Confirm that you have administrator privileges.
- Enable security auditing. Search for "Enable security auditing" for the version of Windows that you run.
- Configure the Splunk Enterprise event log monitor input to monitor the Security event log channel.
For instructions on how to configure the Event Log monitor input, see [http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogData Monitor Windows event log data].
Examples of file system change monitoring
Following are inputs.conf stanzas that show examples of how to monitor file system changes.
This stanza collects security events with event ID codes 0 to 2000 and 3001-10000.
[WinEventLog:Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000
This stanza collects security events with event ID codes 0 to 2000 and 3001-10000. It also suppresses the message text that comes in the event ID.
[WinEventLog:Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000
|
PREVIOUS Monitor Windows event log data |
NEXT Monitor data through Windows Management Instrumentation (WMI) |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0
Comments
the link to the "Auditing Security Events How To" on microsoft's site is broken.
It appears that the Microsoft link next to TaskCategory above is broken/does not exist (http://msdn.microsoft.com/en-us/library/aa363649%28VS.85%29.aspx), might be this one now https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc976403(v=technet.10)