https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10204#M54 <P>What should I attach to my install script if I want to start monitoring the event log in "tail" mode. I don't want to grab any historical events on the first time the LWF runs on the client machines.</P> <P>I have this as an install script:</P> <P>msiexec.exe /i %SPLUNK_MSI% LAUNCHSPLUNK=0 WMICHECK_CPUTIME=0 WMICHECK_LOCALDISK=0 WMICHECK_FREEDISK=0 WMICHECK_MEMORY=0 WINEVENTLOGAPPCHECK=0 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=0 /QUIET</P> <P>This will successfully enable the Security event log on windows, but will capture the historical events.</P> Mon, 15 Mar 2010 20:48:55 GMT BunnyHop 2010-03-15T20:48:55Z https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10204#M54 <P>What should I attach to my install script if I want to start monitoring the event log in "tail" mode. I don't want to grab any historical events on the first time the LWF runs on the client machines.</P> <P>I have this as an install script:</P> <P>msiexec.exe /i %SPLUNK_MSI% LAUNCHSPLUNK=0 WMICHECK_CPUTIME=0 WMICHECK_LOCALDISK=0 WMICHECK_FREEDISK=0 WMICHECK_MEMORY=0 WINEVENTLOGAPPCHECK=0 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=0 /QUIET</P> <P>This will successfully enable the Security event log on windows, but will capture the historical events.</P> Mon, 15 Mar 2010 20:48:55 GMT https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10204#M54 BunnyHop 2010-03-15T20:48:55Z https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10205#M55 <P>I don't think the requisite flag, current_only, is exposed in the WMI interface. You will need to do one of:</P> <UL> <LI>Manually (possibly by script) tweak the inputs.conf post-install, but this will not prevent splunk from starting to pull the eventlog when it's first started. Since you are setting LAUNCHSPLUNK=0, this should be achivable before the first start.</LI> <LI>Alternatively, leave all the inputs disabled, but configure your hosts as deployment clients. Then you can deliver an inputs.conf tailored to your needs via that method. Unfortunately deployment client configuration isn't triggerable via the MSI commandline.</LI> </UL> Tue, 16 Mar 2010 05:20:28 GMT https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10205#M55 jrodman 2010-03-16T05:20:28Z https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10206#M56 <P>Is there a way to append the inputs.conf? I can possibly disable all inputs from the install and then have another line in the script to copy the /etc/ files. I don't to override the inputs.conf file that splunk creates during installation, since that contains the hostname of the client. </P> <P>I'm using the free splunk so I can't utilize the deployment server/client environment.</P> Tue, 16 Mar 2010 08:01:43 GMT https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10206#M56 BunnyHop 2010-03-16T08:01:43Z https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10207#M57 <P>You should use configuration files immediately after running the installer to set this up. See either: <A href="http://answers.splunk.com/questions/434/can-i-auto-install-or-deploy-splunk-onto-all-my-remote-windows-servers/437#437" rel="nofollow">http://answers.splunk.com/questions/434/can-i-auto-install-or-deploy-splunk-onto-all-my-remote-windows-servers/437#437</A> or <A href="http://www.splunk.com/wiki/Deploy:SplunkForwarder_for_Windows_installscript" rel="nofollow">http://www.splunk.com/wiki/Deploy:SplunkForwarder_for_Windows_installscript</A> for an example of a script that installs and lays down any desired configuration on top.</P> Tue, 23 Mar 2010 04:45:26 GMT https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10207#M57 gkanapathy 2010-03-23T04:45:26Z https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10208#M58 <P>This works, however, when the service starts for the first time, it overrides the files I've placed...i.e. I created an inputs.conf that has certain attributes, after the splunk service starts, it replaced my custom inputs.conf, it did not append it as I expected.</P> Tue, 23 Mar 2010 23:01:09 GMT https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10208#M58 BunnyHop 2010-03-23T23:01:09Z https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10209#M59 <P>where did you put your custom file? etc/system/local would be the wrong place.</P> Wed, 24 Mar 2010 21:32:23 GMT https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10209#M59 gkanapathy 2010-03-24T21:32:23Z https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10210#M60 <P>Yes that's where i put my file. Where would be the better spot?</P> Sat, 27 Mar 2010 00:07:15 GMT https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10210#M60 BunnyHop 2010-03-27T00:07:15Z https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10211#M61 <P>etc/apps/search/local</P> Sat, 27 Mar 2010 23:56:09 GMT https://community.splunk.com/t5/Installation/start-tail-monitoring-windows-event-log-upon-Splunk-install/m-p/10211#M61 gkanapathy 2010-03-27T23:56:09Z