All Apps and Add-ons

Splunk Add-on for Windows Setup steps

seungman
Path Finder

Hi.
I installed Splunk Add-on for Microsoft Windows version 4.8.4 from Splunk 6.5.3.
However after installed this App, There on only message as like bellow:
Overview

The Splunk Add-on for Microsoft Windows provides pre-built data inputs to facilitate Windows system monitoring using Splunk. Check out the Splunk Add-on for Microsoft Windows page on Splunkbase for support information, the latest updates, and more.

Configuration of inputs through this application are global, and might affect how other Splunk applications on the system use those inputs. After configuration, confirm that the changes you make in this application do not negatively alter the other applications.

There are no available menu.
Have you ever installed this apps successfully with my same situation?

Thanks
Seung-Man Jo

0 Karma
1 Solution

seungman
Path Finder

Hi. cusello.
After I installed Apps, there wasn`t inputs.conf file.
Hence I created like below:
[root@ip-172-31-28-27 local]# cat inputs.conf
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

Is it correct inputs.conf file?

Thanks
Seung-Man Jo

View solution in original post

0 Karma

seungman
Path Finder

Hi. cusello.
After I installed Apps, there wasn`t inputs.conf file.
Hence I created like below:
[root@ip-172-31-28-27 local]# cat inputs.conf
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

Is it correct inputs.conf file?

Thanks
Seung-Man Jo

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Jo,
yes it's correct.
Usually I prefer to use the default index "wineventlog" instead of a custom one, but you're correct, it's only a practice of mine.
in addition I found that option "renderXml=1" sometimes gives an error and usually I don't use it: you can verify this restarting Splunk Forwarder by CLI, in this way you can see startup messages and eventually configuration errors.

Bye.
Giuseppe

0 Karma

seungman
Path Finder

Hi. cusello.

Thanks quick feedback.
Yes. I deleted the 'renderXml=1' value and reboot OS also.
However still same.
Are there any check point?

Here are my folder information.
[root@ip-172-31-28-27 local]# ll
total 8
-rw------- 1 root root 65 Jun 20 05:26 app.conf
-rw-r--r-- 1 root root 100 Jun 20 07:26 inputs.conf
[root@ip-172-31-28-27 local]# pwd
/etc/apps/splunk/etc/apps/Splunk_TA_windows/local
[root@ip-172-31-28-27 local]#

Thanks
Seung-Man Jo

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Jo,
You don't need to reboot OS, only Splunk Forwarder.

Sorry but examining your information, I see that you're running TA_Windows on a Unix system! TA_Windows must be installed on the target Windows server to monitor, not on the Splunk Enterprise Server!
You can deploy it manually or using a Deployment Server, anyway it must run on a Windows server!

See very carefully documentation at https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/WhatSplunkcanmonitor

Bye.
Giuseppe

P.S., if you're satisfied by my answer accept it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi seungman,
did you followed instructions on http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows ?
Anyway, you have to analyze the scope of your monitoring and enable only inputs in your scope.
To enable these inputs you have to modify inputs.conf file in $SPLUNK_HOME\etc\apps\local changing "1" with "0" in the "disabled" options.
Remeber that if there isn't inputs.conf in local folder, you have to copy it from default folder, don't modify the one in default folder, because you'll lose your changes at the first upgrade.
It's important to define the scope of your monitoring because Windows is very verbose and you could receive too many logs.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...