topic Re: Splunk Add-on for Windows Setup steps in All Apps and Add-ons

Splunk Add-on for Windows Setup steps

seungman — Tue, 20 Jun 2017 06:56:09 GMT

Hi.
I installed Splunk Add-on for Microsoft Windows version 4.8.4 from Splunk 6.5.3.
However after installed this App, There on only message as like bellow:
Overview

The Splunk Add-on for Microsoft Windows provides pre-built data inputs to facilitate Windows system monitoring using Splunk. Check out the Splunk Add-on for Microsoft Windows page on Splunkbase for support information, the latest updates, and more.

Configuration of inputs through this application are global, and might affect how other Splunk applications on the system use those inputs. After configuration, confirm that the changes you make in this application do not negatively alter the other applications.

There are no available menu.
Have you ever installed this apps successfully with my same situation?

Thanks
Seung-Man Jo

Re: Splunk Add-on for Windows Setup steps

gcusello — Tue, 20 Jun 2017 07:10:16 GMT

Hi seungman,
did you followed instructions on http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows ?
Anyway, you have to analyze the scope of your monitoring and enable only inputs in your scope.
To enable these inputs you have to modify inputs.conf file in $SPLUNK_HOME\etc\apps\local changing "1" with "0" in the "disabled" options.
Remeber that if there isn't inputs.conf in local folder, you have to copy it from default folder, don't modify the one in default folder, because you'll lose your changes at the first upgrade.
It's important to define the scope of your monitoring because Windows is very verbose and you could receive too many logs.
Bye.
Giuseppe

Re: Splunk Add-on for Windows Setup steps

seungman — Tue, 29 Sep 2020 14:31:50 GMT

Hi. cusello.
After I installed Apps, there wasn`t inputs.conf file.
Hence I created like below:
[root@ip-172-31-28-27 local]# cat inputs.conf
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

Is it correct inputs.conf file?

Thanks
Seung-Man Jo

Re: Splunk Add-on for Windows Setup steps

gcusello — Tue, 20 Jun 2017 07:23:35 GMT

Hi Jo,
yes it's correct.
Usually I prefer to use the default index "wineventlog" instead of a custom one, but you're correct, it's only a practice of mine.
in addition I found that option "renderXml=1" sometimes gives an error and usually I don't use it: you can verify this restarting Splunk Forwarder by CLI, in this way you can see startup messages and eventually configuration errors.

Bye.
Giuseppe

Re: Splunk Add-on for Windows Setup steps

seungman — Tue, 29 Sep 2020 14:31:53 GMT

Hi. cusello.

Thanks quick feedback.
Yes. I deleted the 'renderXml=1' value and reboot OS also.
However still same.
Are there any check point?

Here are my folder information.
[root@ip-172-31-28-27 local]# ll
total 8
-rw------- 1 root root 65 Jun 20 05:26 app.conf
-rw-r--r-- 1 root root 100 Jun 20 07:26 inputs.conf
[root@ip-172-31-28-27 local]# pwd
/etc/apps/splunk/etc/apps/Splunk_TA_windows/local
[root@ip-172-31-28-27 local]#

Thanks
Seung-Man Jo

Re: Splunk Add-on for Windows Setup steps

gcusello — Tue, 29 Sep 2020 14:31:55 GMT

Hi Jo,
You don't need to reboot OS, only Splunk Forwarder.

Sorry but examining your information, I see that you're running TA_Windows on a Unix system! TA_Windows must be installed on the target Windows server to monitor, not on the Splunk Enterprise Server!
You can deploy it manually or using a Deployment Server, anyway it must run on a Windows server!

See very carefully documentation at https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/WhatSplunkcanmonitor

Bye.
Giuseppe

P.S., if you're satisfied by my answer accept it.