All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Application for collection logs

inessa40408
Explorer
‎11-29-2024 02:26 PM

Hello Splunk community,

 

We have a device on the windows systeme.

I tried to find a LOG file on it that is responsible for the Internet connection and connection quality. But unfortunately, this screen saves a limited amount of information in its LOG files regarding the Internet connection.

 

I wanted to know, does Splunk have a solution for such situations? Perhaps there is an application that we can install on this device that will allow us to erase the necessary LOGs?

 

Thank you in advance for you answer 🙂 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marnall
Motivator
‎12-02-2024 01:19 PM

When you run the command "netsh wlan show wlanreport", it does not only generate a HTML report, but also a xml report. This is good because the HTML report is intended for human consumption so Splunk will not be happy with it. You can instead index the XML file.

The XML file is at: C:\ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.xml

To set up Splunk to generate and index this file once per hour, you need 3 configuration files:

1) A props.conf file on your indexer machine(s)

# Put this in /opt/splunk/etc/apps/<yourappname>/local/props.conf
[WlanReport]
maxDist = 170
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <?xml version
TIME_PREFIX = ReportDate>


2) A inputs.conf file on your forwarder machine(s)

# Put this in /opt/splunkforwarder/etc/apps/<yourdeploymentappname>/local/inputs.conf
[monitor://C:\ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.xml]
index=main
sourcetype=WlanReport
disabled = 0
initCrcLength = 256

# You can use a scripted input to run the command once per X seconds specified by the interval
[script://C:\Program Files\SplunkUniversalForwarder\etc\apps\<yourdeploymentappname>\bin\scripts\wlanreport.bat]
interval = 3600
disabled = 0
# (I have trouble getting it to work with a relative path to the script)

3) The script file on your forwarder machine(s):

# Put this in /opt/splunk/etc/apps/<yourdeploymentappname>/bin/wlanreport.bat
@echo off
netsh wlan show wlanreport

 

You will then have events coming in containing the XML file contents, every hour.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-30-2024 02:01 AM

Hi @inessa40408 ,

Splunk is a search engine, and it takes the available logs.

What's the technology you're using to take these logs? maybe the solution is in the integration between your solution and Splunk.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

inessa40408
Explorer
‎12-02-2024 12:13 AM

Hello.

 

Thank you for your reply.

 

You are right, I have given little information.

 

We have a Windows devices. Theses devices have a limited network map. It does not save log files regarding all connections to the WiFi network. The only way to get this information is to go to the CMD, run the command: netsh wlan show wlanreport and then this report will be saved in the folder: C:\ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.html. But, this script saves the report only after manual entry on the device. We need this report to be saved constantly.

 

For example, with a frequency of: once an hour. So that later this file could be loaded into splunk to analyze the operation and connection to the WiFi network. Yes, of course, we would like to have more information from this device, such as: signal strength of the equipment, connection breaks, ping failed, MAC addresses of access points to which the device connects. But for now this is not a priority, as I would like to automate saving the LOG file to a specific folder.

 

I will be so thankfull if you have any ideas or advice on this matter, I would be grateful for the advice.

 

If you have any clarifying questions: do not hesitate to ask me.

 

Thanks in advance for your answer 🙂

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-02-2024 12:18 AM

Hi @inessa40408 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

marnall
Motivator
‎11-30-2024 12:40 AM

If I understand correctly, you have a windows system with a logfile that does not have a long log retention time, so you cannot use the log file to look back very far, but you need to be able to look further back in time.

This sounds like a straightforward use case for the Splunk forwarder. If you install the forwarder on the machine, then set up an input configuration to monitor that logfile, then the forwarder will send the log data to the Splunk indexers where it will be indexed and stored for longer times.

Reply
Solved! Jump to solution

inessa40408
Explorer
‎12-02-2024 12:14 AM

Hello.

Thank you for your reply.

You are right, I have given little information.

 

We have a Windows devices. Theses devices have a limited network map. It does not save log files regarding all connections to the WiFi network. The only way to get this information is to go to the CMD, run the command: netsh wlan show wlanreport and then this report will be saved in the folder: C:\ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.html.

 

But, this script saves the report only after manual entry on the device. We need this report to be saved constantly.

 

For example, with a frequency of: once an hour. So that later this file could be loaded into splunk to analyze the operation and connection to the WiFi network. Yes, of course, we would like to have more information from this device, such as: signal strength of the equipment, connection breaks, ping failed, MAC addresses of access points to which the device connects. But for now this is not a priority, as I would like to automate saving the LOG file to a specific folder.

 

I will be so thankfull if you have any ideas or advice on this matter, I would be grateful for the advice

 

If you have any clarifying questions: do not hesitate to ask me.

 

Thanks in advance for your answer 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

marnall
Motivator
‎12-02-2024 01:19 PM

When you run the command "netsh wlan show wlanreport", it does not only generate a HTML report, but also a xml report. This is good because the HTML report is intended for human consumption so Splunk will not be happy with it. You can instead index the XML file.

The XML file is at: C:\ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.xml

To set up Splunk to generate and index this file once per hour, you need 3 configuration files:

1) A props.conf file on your indexer machine(s)

# Put this in /opt/splunk/etc/apps/<yourappname>/local/props.conf
[WlanReport]
maxDist = 170
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <?xml version
TIME_PREFIX = ReportDate>


2) A inputs.conf file on your forwarder machine(s)

# Put this in /opt/splunkforwarder/etc/apps/<yourdeploymentappname>/local/inputs.conf
[monitor://C:\ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.xml]
index=main
sourcetype=WlanReport
disabled = 0
initCrcLength = 256

# You can use a scripted input to run the command once per X seconds specified by the interval
[script://C:\Program Files\SplunkUniversalForwarder\etc\apps\<yourdeploymentappname>\bin\scripts\wlanreport.bat]
interval = 3600
disabled = 0
# (I have trouble getting it to work with a relative path to the script)

3) The script file on your forwarder machine(s):

# Put this in /opt/splunk/etc/apps/<yourdeploymentappname>/bin/wlanreport.bat
@echo off
netsh wlan show wlanreport

 

You will then have events coming in containing the XML file contents, every hour.

Reply
Solved! Jump to solution

inessa40408
Explorer
‎12-02-2024 11:44 PM

Thank you very much for your answer and help, I will try today. And I will come back with feedback 🙂 

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top