I have deployed Add-on for Windows on one of my servers and I'm not collecting any data. If I don't use the Add-on input.conf and only use the input.conf file located in \etc\system\local it works fine, but if remove the data from that file and use the \etc\apps\Splunk_TA_windows\local file I get nothing. I've restarted the service, rebooted the host machine and I'm not sure where to go from here.
I followed the directions here: https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration for the configuration of the input.conf and prop.conf files.
Any suggestions what I'm missing what log to look at for error messages?
Thanks,
Bob
The best practice is to create an app of yourself , so it is modular and controllable (like deployment server etc.)
MY_windows_app
) within etc\apps and create inputs.conf
file within local
directory of it. So it will look like . MY_windows_app\local\inputs.conf
In your MY_windows_app\local\inputs.conf
make an entry like below
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
Restart splunk
Data should come in now correctly if you have setup your indexer and outputs.conf correctly
Although your question has been answered, was the Windows app sending the data to the default 'windows' index, and you were searching your own index and found no data? Just checking - I'm trying to add to my troubleshooting knowledge base.
No data was getting to the splunk instance at all, I did a search on index=* and saw nothing before doing koshyk's suggestion.
Thanks for the response.
The best practice is to create an app of yourself , so it is modular and controllable (like deployment server etc.)
MY_windows_app
) within etc\apps and create inputs.conf
file within local
directory of it. So it will look like . MY_windows_app\local\inputs.conf
In your MY_windows_app\local\inputs.conf
make an entry like below
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
Restart splunk
Data should come in now correctly if you have setup your indexer and outputs.conf correctly
Thanks koshyk! That seem to do the trick! I did fail to mention I do have a deployment server and that I was using that, but using your method I simply created the app and deployed it with your suggestions.
Though I do have a couple of quick follow up questions. In the link I referenced it talked about setting up the local.conf and prop.conf files, was that incorrect or was miss understanding something there?
Also using the method you shown me there I wanted to ask, what if I have some one off data I want to ingest in to splunk that is not configured in the MY_windows_app\local\inputs.conf file and I don't want it to be on every server. For example if I have one server that I want to get sysmon data from but not every server. Do I then update the etc/system/local input.conf file for that specifically?
Thanks again!
Bob
then you create your "APP" more specific per input
MY_windows_application_inputs
MY_windows_security_inputs
MY_windows_sysmon_inputs
and in your serverclass, send the above apps as required to the end hosts/clients. The more granular you go, the more control you have and easy to be dynamic.