UF not monitoring the directory

jibin1988 · ‎11-12-2019

UF is not reading dhcp logs :

internal logs :
11-12-2019 11:34:13.775 +0300 INFO TailingProcessor - Adding watch on path: G:\dhcp\logs.

No ERROR logs or WARN logs

inputs.conf

[monitor://G:\dhcp\logs]
disabled = false
whitelist = Dhcp*
crcSalt =
initCrcLength = 2000
alwaysOpenFile = 1
sourcetype = DhcpLog
index = windows_it

codebuilder · ‎11-14-2019

Your whitelist parameter is not recursive. Therefore, if your logs reside in a sub-directory, they will not be picked up.
Also, if you your logs do not have a file extension, Splunk will see them as binary and exclude them by default.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Inputsconf
Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored inputs. Use
"..." for recursive directory matching and "*" for wildcard matching in a
single directory segment.

----
An upvote would be appreciated and Accept Solution if it helps!

gcusello · ‎11-12-2019

Hi @jibin1988,
what's the user od splunkforwarder process, SYSTEM_LOCAL?
Ithink that the crcSalt row is crcSalt = <SOURCE> but there's a visualizaziont problem (please use the Code Sample button), is it correct?

Ciao.
Giuseppe

UF not monitoring the directory

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?