Splunk® Enterprise

Getting Data In

Monitor file system changes on Windows

The Splunk platform supports monitoring Windows file system changes through the Security Windows Event Log channel. To monitor file changes, you must enable security auditing for the files and folders you want to monitor for changes and use the Event Log monitor to monitor the Security event log channel. This procedure of monitoring file system changes replaces the deprecated file system change monitor input.

If you use Splunk Cloud Platform and want to monitor Windows file system changes through the Security Event Log channel, use the Splunk universal forwarder to monitor the changes on a Windows machine.

Requirements

You must meet the following requirements to monitor file system changes:

  • The Splunk platform must run on Windows. See Install on Windows in the Installation Manual.
  • The Splunk platform must run as the Local System user or as a domain user with specific security policy rights to read the Security event log
  • You must enable security auditing for the files or directories you want the Splunk platform to monitor changes to


Use the Security event log to monitor changes to files

You can monitor changes to files on your system by enabling security auditing on a set of files or directories and then monitoring the Security event log channel for change events. The event log monitoring input includes three settings which you can use in the inputs.conf configuration file. You can't configure monitoring of file system change events from Splunk Web.

You can use these settings outside of the context of the Security event log and file system changes. This list of settings is only a subset of the available settings for the inputs.conf file. For additional settings, see Monitor Windows event log data with Splunk Cloud.

The following table describes the configuration settings available for file monitoring in inputs.conf:

Setting Description Default
whitelist

Index events that match the text string specified. This setting is optional.

You can specify one of two formats:

  • One or more Event Log event codes or event IDs (Event Log code/ID format)
  • One or more sets of keys and regular expressions (Advanced filtering format)

You cannot mix formats in a single entry or mix formats in the same stanza.

The Splunk platform processes allow lists first, then deny lists. If no allow list is present, the Splunk platform indexes all events.

When using the Event Code/ID format, follow these rules:

  • For multiple codes/IDs, separate the list with commas.
  • For ranges, use hyphens (for example "0-1000,5000-1000").

When using the advanced filtering format, follow these rules:

  • Use = between the key and the regular expression that represents your filter, such as whitelist = EventCode=%^1([8-9])$%
  • You can have multiple key/regular expression sets in a single advanced filtering entry. The Splunk platform joins the sets logically. This means that the entry is valid only if all of the sets in the entry are true.
  • You can specify up to 10 allow lists per stanza by adding a number to the end of the whitelist setting, such as whitelist1...whitelist9.
N/A
blacklist

Do not index events that match the text string specified. This setting is optional.

You can specify one of two formats:

  • One or more Event Log event codes or event IDs (Event Log code/ID format)
  • One or more sets of keys and regular expressions (Advanced filtering format)

You cannot mix formats in a single entry or mix formats in the same stanza.

The Splunk platform processes allow lists first, then deny lists. If no allow list is present, the Splunk platform indexes all events.

When using the Event Code/ID format, follow these rules:

  • For multiple codes/IDs, separate the list with commas.
  • For ranges, use hyphens (for example "0-1000,5000-1000").

When using the advanced filtering format, follow these rules:

  • Use = between the key and the regular expression that represents your filter, such as whitelist = EventCode=%^1([8-9])$%
  • You can have multiple key/regular expression sets in a single advanced filtering entry. the Splunk platform joins the sets logically. This means that the entry is valid only if all of the sets in the entry are true.
  • You can specify up to 10 deny lists per stanza by adding a number to the end of the blacklist setting, for example blacklist1...blacklist9.
N/A
suppress_text

Whether or not to include the message text that comes with a security event.

A value of 1 suppresses the message text. A value of 0 preserves the text.

0

Create advanced filters with the whitelist and blacklist settings

You can perform advanced filtering of incoming events with the whitelist and blacklist settings in addition to filtering based solely on event codes. To do this, specify the key/regular expression format in the setting:

whitelist = key=<regular expression> [key=<regular expression] ...

In this format, key is a valid entry from the following list:

Key Description
$TimeGenerated The time that the computer generated the event. Only generates the time string as the event.
$Timestamp The time that the event was received and recorded by the Event Log service. the Splunk platform only generates the time string as the event.
Category The category number for a specific event source.
CategoryString A string translation of the category. The translation depends on the event source.
ComputerName The name of the computer that generated the event.
EventCode The event ID number for an event. Corresponds to "Event ID" in Event Viewer.
EventType A numeric value that represents one of the five types of events that can be logged ("Error", "Warning", "Information", "Success Audit", and "Failure Audit"). Available only on server machines running Windows Server 2003 and lower or clients running Windows XP and lower.
Keywords An element used to classify different types of events within an event log channel. The Security Event Log channel has this element, for example.
LogName The name of the Event Log channel that received the event. Corresponds to "Log Name" in Event Viewer.
Message The text of the message in the event.
OpCode The severity level of the event. Corresponds to "OpCode" in Event Viewer.
RecordNumber The Windows Event Log record number. Each event on a Windows server gets a record number. This number starts at 0 with the first event generated on the system, and increases with each new event generated, until it reaches a maximum of 4294967295. It then rolls back over to 0.
Sid The Security Identifier (SID) of the principal, such as a user, group, computer, or other entity, that was associated with or generated the event. See Win32_UserAccount class at https://msdn.microsoft.com/en-us/library/windows/desktop/aa394507%28v=vs.85%29.aspx on MSDN.
SidType A numeric value that represents the type of SID that was associated with the event. See Win32_UserAccount class at https://msdn.microsoft.com/en-us/library/windows/desktop/aa394507%28v=vs.85%29.aspx on MSDN.
SourceName The source of the entity that generated the event. Corresponds to "Source" in Event Viewer.
TaskCategory The task category of the event. Event sources allow you to define categories so that you can filter them with Event Viewer using the "Task Category" field. See Event Categories (Windows) at https://msdn.microsoft.com/en-us/library/aa363649%28VS.85%29.aspx on MSDN.
Type A numeric value that represents one of the five types of events that can be logged ("Error", "Warning", "Information", "Success Audit", and "Failure Audit"). Only available on server machines that run Windows Server 2008 or higher or clients that run Windows Vista or higher.
User The user associated with the event. Correlates to "User" in Event Viewer.

<regular expression> is any valid regular expression that represents the filters that you want to include when used with the whitelist setting or exclude when used with the blacklist setting.

You can specify more than one regular expression on a single entry line. Only events that satisfy all of the entries on the line are included or excluded. For example, this entry means to include events that have an EventCode ranging from 10 to 15 and contain a Message that begins with the word Error:

whitelist = EventCode="^1([0-5])$" Message="^Error"

You can specify up to 10 separate allow lists or deny list entries in each stanza. To do so, add a number at the end of the whitelist or blacklist setting entry on a separate line:

whitelist = key=<regular expression>
whitelist1 = key=<regular expression> key2=<regular expression 2>
whitelist2 = key=<regular expression>

You cannot specify an entry that has more than one expression that references the same key.

If you specify an entry using more than one expression referencing the same key, the Splunk platform ignores the first expression and only attempts to include events that match the second expression. See the following example:

whitelist = EventCode="^1([0-5])$" EventCode="^2([0-5])$"

In this case, only events that contain an EventCode between 20 and 25 match. Events that contain an EventCode between 10 and 15 do not match. Only the last expression in the entry ever matches.

To resolve this problem, specify two separate entries in the stanza:

whitelist = EventCode="^1([0-5])$"
whitelist1 = EventCode="^2([0-5])$"

Monitor file system changes

  1. Confirm that you have administrator privileges.
  2. Enable security auditing. Search for "Enable security auditing" for the version of Windows that you run.
  3. Configure the Splunk platform event log monitor input to monitor the Security event log channel.

For instructions on how to configure the Event Log monitor input, see Monitor Windows event log data.

Examples of file system change monitoring

The following inputs.conf stanzas show examples of how to monitor file system changes.

This stanza collects security events with event ID codes 0-2000 and 3001-10000.

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs.
whitelist = 0-2000,2001-10000
# exclude these event IDs from being indexed.
blacklist = 2001-3000

This stanza collects security events with event ID codes 0-2000 and 3001-10000. It also suppresses the message text that comes in the event ID.

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# suppress message text, we only want the event number.
suppress_text = 1
# only index events with these event IDs.
whitelist = 0-2000,2001-10000
# exclude these event IDs from being indexed.
blacklist = 2001-3000
Last modified on 27 October, 2021
Monitor Windows event log data with   Monitor data through Windows Management Instrumentation (WMI)

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0, 8.1.10, 8.1.12, 8.1.14, 8.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters