Deployment: input.conf is not executing on deploym...

mgivechi · ‎02-25-2011

I’ve created a simple deployment app for windows systems to filter unwanted logs from windows event logs. There are 4 files that is being pulled by deployment client to “winev/default” under app folder. All of the configuration files (props, transforms, output) are being executed except “input.conf”.

system/local/input.conf

[default]

host = TESTSERVER01

app/winev/default/input.conf

[WinEventLog:Application] disabled = 0 [WinEventLog:Security] disabled = 0 start_from = oldest [WinEventLog:System]

disabled = 0

The only related logs in splunkd.log are:

02-25-2011 12:51:03.159 INFO WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found.. 02-25-2011 12:51:03.159 INFO loader - Instantiated plugin: queueoutputprocessor

02-25-2011 12:51:03.159 INFO WinEventLogInputProcessor - main-thread: Starting to monitor Windows Event Log channels for events

As soon as i move these stanzas to input.conf in local folder I’ll get can see logs is being forwarded (with successful filtering based on “winev” app):

02-25-2011 12:53:11.207 INFO WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found.. 02-25-2011 12:53:11.222 INFO WinEventLogChannel - Initialized Windows Event Log='Application' Success; oldest_rec_id='866'; newest_rec_id='2101'; total_rec='1236' 02-25-2011 12:53:11.222 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Application' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Application': total_events='0' with empty_msg='0'. 02-25-2011 12:53:11.238 INFO WinEventLogChannel - init: Binding to DC to translate guids/sids for channel='Security' 02-25-2011 12:53:11.238 INFO WinEventLogChannel - Initialized Windows Event Log='Security' Success; oldest_rec_id='1'; newest_rec_id='289'; total_rec='289' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Security' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Security': total_events='0' with empty_msg='0'. 02-25-2011 12:53:11.238 INFO WinEventLogChannel - Initialized Windows Event Log='System' Success; oldest_rec_id='4959'; newest_rec_id='7389'; total_rec='2431' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'System' 02-25-2011 12:53:11.285 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'System': total_events='10' with empty_msg='0'.

02-25-2011 12:53:11.285 INFO WinEventLogInputProcessor - main-thread: Starting to monitor Windows Event Log channels for events

I even checked that Splunk is parsing my config files in deployment app by removing ‘#’ from my comments and double checking the splunkd.log. I would appreciate it if you could help me with this one

gkanapathy · ‎02-25-2011

I dont suppose the client is Windows 2000, is it? Windows 2000 isn't currently supported for collecting WMI or Event Logs.

mgivechi · ‎02-26-2011

The client is windows XP SP3.

Ayn · ‎02-25-2011

If you're writing the filename you're using correctly, the issue is due to a typo in the filename: the file should be called "inputs.conf" instead of "input.conf".

hazekamp · ‎04-11-2011

If the windows app has these outputs disabled these properties will override your properties since "windows" is evaluated before "winev".

mgivechi · ‎02-25-2011

Sorry, I mistype those file names.
I found something interesting if i remove "windows" from application everything will just work fine is it possible that "windows" and my app are conflicting some how?