I need to monitor file changes and i want to know wich one changes was made.
inputs.conf
[fschange:///etc/passwd]
disabled = 0
fullEvent = true
sendEventMaxSize = -1
pollPeriod = 10
hashMaxSize = -1
index=unixsrv
sourcetype=linux_configfile
I cant see the difference betwean results if i used inputs.conf with stanza fullEvent=true and without it.
Result is always the same:
Tue Feb 23 14:45:14 2016
action=update,
path="///etc/passwd",
isdir=0,
size=1771,
gid=0, uid=0,
modtime="Tue Feb 23 14:45:11 2016",
mode="rw-r--r--",
hash=,
chgs="modtime "
I would like to have the full passwd file.
I thought the "fullEvent" parameter was just for that, but it looks like it isn't.
What am I doing wrong?
Thanks
↧