![]() ![]() The file system change monitor sends data to various indexes depending on how you configure the file system monitoring input. Afterward, any change in configuration, regardless of origin, generates an audit event for the affected file. When you start an on-premises Splunk instance for the first time, it generates an audit event for each file in the $SPLUNK_HOME/etc/ directory and all its subdirectories. The file system change monitor generates audit events whenever any process changes, deletes, or adds to the contents of the $SPLUNK_HOME/etc/ directory. ![]() all change events indexed by, and searchable through, the Splunk platform. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |