Solved: Splunk Add-on for Windows Setup steps

seungman · ‎06-19-2017

Hi.
I installed Splunk Add-on for Microsoft Windows version 4.8.4 from Splunk 6.5.3.
However after installed this App, There on only message as like bellow:
Overview

The Splunk Add-on for Microsoft Windows provides pre-built data inputs to facilitate Windows system monitoring using Splunk. Check out the Splunk Add-on for Microsoft Windows page on Splunkbase for support information, the latest updates, and more.

Configuration of inputs through this application are global, and might affect how other Splunk applications on the system use those inputs. After configuration, confirm that the changes you make in this application do not negatively alter the other applications.

There are no available menu.
Have you ever installed this apps successfully with my same situation?

Thanks
Seung-Man Jo

seungman · ‎06-20-2017

Hi. cusello.
After I installed Apps, there wasn`t inputs.conf file.
Hence I created like below:
[root@ip-172-31-28-27 local]# cat inputs.conf
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

Is it correct inputs.conf file?

Thanks
Seung-Man Jo

View solution in original post

seungman · ‎06-20-2017

Hi. cusello.
After I installed Apps, there wasn`t inputs.conf file.
Hence I created like below:
[root@ip-172-31-28-27 local]# cat inputs.conf
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

Is it correct inputs.conf file?

Thanks
Seung-Man Jo

gcusello · ‎06-20-2017

Hi Jo,
yes it's correct.
Usually I prefer to use the default index "wineventlog" instead of a custom one, but you're correct, it's only a practice of mine.
in addition I found that option "renderXml=1" sometimes gives an error and usually I don't use it: you can verify this restarting Splunk Forwarder by CLI, in this way you can see startup messages and eventually configuration errors.

Bye.
Giuseppe

seungman · ‎06-20-2017

Hi. cusello.

Thanks quick feedback.
Yes. I deleted the 'renderXml=1' value and reboot OS also.
However still same.
Are there any check point?

Here are my folder information.
[root@ip-172-31-28-27 local]# ll
total 8
-rw------- 1 root root 65 Jun 20 05:26 app.conf
-rw-r--r-- 1 root root 100 Jun 20 07:26 inputs.conf
[root@ip-172-31-28-27 local]# pwd
/etc/apps/splunk/etc/apps/Splunk_TA_windows/local
[root@ip-172-31-28-27 local]#

Thanks
Seung-Man Jo

gcusello · ‎06-20-2017

Hi Jo,
You don't need to reboot OS, only Splunk Forwarder.

Sorry but examining your information, I see that you're running TA_Windows on a Unix system! TA_Windows must be installed on the target Windows server to monitor, not on the Splunk Enterprise Server!
You can deploy it manually or using a Deployment Server, anyway it must run on a Windows server!

See very carefully documentation at https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/WhatSplunkcanmonitor

Bye.
Giuseppe

P.S., if you're satisfied by my answer accept it.

gcusello · ‎06-20-2017

Hi seungman,
did you followed instructions on http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows ?
Anyway, you have to analyze the scope of your monitoring and enable only inputs in your scope.
To enable these inputs you have to modify inputs.conf file in $SPLUNK_HOME\etc\apps\local changing "1" with "0" in the "disabled" options.
Remeber that if there isn't inputs.conf in local folder, you have to copy it from default folder, don't modify the one in default folder, because you'll lose your changes at the first upgrade.
It's important to define the scope of your monitoring because Windows is very verbose and you could receive too many logs.
Bye.
Giuseppe

Splunk Add-on for Windows Setup steps

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...