Deployment Architecture

Deployment: input.conf is not executing on deployment client

mgivechi
New Member

I’ve created a simple deployment app for windows systems to filter unwanted logs from windows event logs. There are 4 files that is being pulled by deployment client to “winev/default” under app folder. All of the configuration files (props, transforms, output) are being executed except “input.conf”.

system/local/input.conf

[default]

host = TESTSERVER01

app/winev/default/input.conf

[WinEventLog:Application] disabled = 0 [WinEventLog:Security] disabled = 0 start_from = oldest [WinEventLog:System]

disabled = 0

The only related logs in splunkd.log are:

02-25-2011 12:51:03.159 INFO WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found.. 02-25-2011 12:51:03.159 INFO loader - Instantiated plugin: queueoutputprocessor

02-25-2011 12:51:03.159 INFO WinEventLogInputProcessor - main-thread: Starting to monitor Windows Event Log channels for events

As soon as i move these stanzas to input.conf in local folder I’ll get can see logs is being forwarded (with successful filtering based on “winev” app):

02-25-2011 12:53:11.207 INFO WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found.. 02-25-2011 12:53:11.222 INFO WinEventLogChannel - Initialized Windows Event Log='Application' Success; oldest_rec_id='866'; newest_rec_id='2101'; total_rec='1236' 02-25-2011 12:53:11.222 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Application' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Application': total_events='0' with empty_msg='0'. 02-25-2011 12:53:11.238 INFO WinEventLogChannel - init: Binding to DC to translate guids/sids for channel='Security' 02-25-2011 12:53:11.238 INFO WinEventLogChannel - Initialized Windows Event Log='Security' Success; oldest_rec_id='1'; newest_rec_id='289'; total_rec='289' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Security' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Security': total_events='0' with empty_msg='0'. 02-25-2011 12:53:11.238 INFO WinEventLogChannel - Initialized Windows Event Log='System' Success; oldest_rec_id='4959'; newest_rec_id='7389'; total_rec='2431' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'System' 02-25-2011 12:53:11.285 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'System': total_events='10' with empty_msg='0'.

02-25-2011 12:53:11.285 INFO WinEventLogInputProcessor - main-thread: Starting to monitor Windows Event Log channels for events

I even checked that Splunk is parsing my config files in deployment app by removing ‘#’ from my comments and double checking the splunkd.log. I would appreciate it if you could help me with this one

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I dont suppose the client is Windows 2000, is it? Windows 2000 isn't currently supported for collecting WMI or Event Logs.

0 Karma

mgivechi
New Member

The client is windows XP SP3.

0 Karma

Ayn
Legend

If you're writing the filename you're using correctly, the issue is due to a typo in the filename: the file should be called "inputs.conf" instead of "input.conf".

0 Karma

hazekamp
Builder

If the windows app has these outputs disabled these properties will override your properties since "windows" is evaluated before "winev".

0 Karma

mgivechi
New Member

Sorry, I mistype those file names.
I found something interesting if i remove "windows" from application everything will just work fine is it possible that "windows" and my app are conflicting some how?

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...