I am working one of the customer enterprise environment azure cloud automation tasks. From azure perspective past couple of days working and trying to setup alert Management in OMS. We are using log search query to validate initially and then create relevant alerts. I am able to see some issues in Linux configuration file tracking . I enabled counter for Linux file tracking as per the screenshot and manually tested the query in log search either particular file or computer based, i can able to see the modified file details in output report. But my customer want to monitor and track all the configuration file changes. So i tried to set below mentioned query with particular path with file extension it's not working. i am not sure which operator to use for here.
Could you please someone help me to resolve the issue. it will be very helpful for me and everyone. Thanks for advance and i am expecting good solution.
planning to track : /etc/*.conf
query not working :
1) ConfigurationChange | where FileSystemPath =~ "/etc/*.conf"
2) ConfigurationChange | where ( ConfigChangeType == "Files" ) | where ( ChangeCategory == "Modified" ) | where FileSystemPath ??? "/etc/*.conf" - choosing operator
if i use your query i can able to get .conf file changes. But it's collecting from entire path available directory files(/etc/other directory). But we are looking the file changes till next directory, not other directory (/etc/dir1/dir2/dir3/dir4/files). it means (/etc/dir1/).