topic Re: Forwarder / Windows / monitor source in Getting Data In

Forwarder / Windows / monitor source

vladx — Wed, 01 Mar 2017 15:31:09 GMT

Hi,

I have the following very simple usecase

-- some logs (these are basically linux logs) are available as a share from a windows machine. Share is mapped to drive Z:
-- universal forwarder installed on this machine and configured to monitor this directory

my relevant part of input.conf looks like this

[monitor://Z:]
recursive = true
disabled = 0

[monitor://Z:\2017\02-09]
disabled = 0

none of them are working and nothing received in Splunk. When I enable eventlog or perfmon sources, these are succesfully indexed

Any idea what's wrong?

Thank you

Re: Forwarder / Windows / monitor source

DMohn — Thu, 02 Mar 2017 12:28:43 GMT

As you are talking about a share: Have you made sure, that your splunk user may access this shared folder?

Re: Forwarder / Windows / monitor source

vladx — Thu, 02 Mar 2017 13:55:01 GMT

I suppose this is where the dog lied buried. When I copied one of the log from the share to the local disk, it is successfully sent to Splunk, however from the share isn't.

I've changed the user runs splunk forwarder to my domain account and I also made sure the share is accessible using my domain account, but it is still not working. I suppose when I map a drive, it is not visible to forwarder (or any service account), however I can see in the log this

TailingProcessor - Parsing configuration stanza: monitor://Z:.

Any idea?

Thank you

Re: Forwarder / Windows / monitor source

ddrillic — Thu, 02 Mar 2017 14:25:15 GMT

Good place to start - I can't find my data!

Re: Forwarder / Windows / monitor source

3no — Thu, 02 Mar 2017 14:31:18 GMT

Are you running splunkd on a Windows machine ? If so maybe the service is running in a different user context to you. Have you tried to use the full UNC name of the folder instant of Z: ?

You can get this from issuing a NET USE command on a machine that has the relevant Z: drive. It will look something like "\\ServerName\ShareName".

Re: Forwarder / Windows / monitor source

vladx — Thu, 02 Mar 2017 16:02:57 GMT

it seems the UNC way is working. At least when I share the files from a windows server. Unfortunately, in my usecase we are sharing from an appliance using Samba and with this there are some access denied errors, but this is not a splunk related issue.

So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files

Thank you again

Re: Forwarder / Windows / monitor source

vladx — Thu, 02 Mar 2017 16:03:27 GMT

So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files

Thank you again

Re: Forwarder / Windows / monitor source

vladx — Thu, 02 Mar 2017 16:03:39 GMT

So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files

Re: Forwarder / Windows / monitor source

lguinn2 — Thu, 02 Mar 2017 16:26:29 GMT

The answer appears to be permissions and is well-described in the comments.

But I would like to point out another problem: your inputs.conf has overlapping stanzas.
Do not do this! The first stanza monitors the entire Z: directory tree. The second stanza is redundant and should be removed. So your inputs.conf should look like this:

[monitor://Z:]
recursive = true
disabled = 0