Deployment Architecture
Highlighted

Deployment: input.conf is not executing on deployment client

New Member

I’ve created a simple deployment app for windows systems to filter unwanted logs from windows event logs. There are 4 files that is being pulled by deployment client to “winev/default” under app folder. All of the configuration files (props, transforms, output) are being executed except “input.conf”.

system/local/input.conf

[default]

host = TESTSERVER01

app/winev/default/input.conf

[WinEventLog:Application] disabled = 0 [WinEventLog:Security] disabled = 0 start_from = oldest [WinEventLog:System]

disabled = 0

The only related logs in splunkd.log are:

02-25-2011 12:51:03.159 INFO WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found.. 02-25-2011 12:51:03.159 INFO loader - Instantiated plugin: queueoutputprocessor

02-25-2011 12:51:03.159 INFO WinEventLogInputProcessor - main-thread: Starting to monitor Windows Event Log channels for events

As soon as i move these stanzas to input.conf in local folder I’ll get can see logs is being forwarded (with successful filtering based on “winev” app):

02-25-2011 12:53:11.207 INFO WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found.. 02-25-2011 12:53:11.222 INFO WinEventLogChannel - Initialized Windows Event Log='Application' Success; oldest_rec_id='866'; newest_rec_id='2101'; total_rec='1236' 02-25-2011 12:53:11.222 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Application' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Application': total_events='0' with empty_msg='0'. 02-25-2011 12:53:11.238 INFO WinEventLogChannel - init: Binding to DC to translate guids/sids for channel='Security' 02-25-2011 12:53:11.238 INFO WinEventLogChannel - Initialized Windows Event Log='Security' Success; oldest_rec_id='1'; newest_rec_id='289'; total_rec='289' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Security' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Security': total_events='0' with empty_msg='0'. 02-25-2011 12:53:11.238 INFO WinEventLogChannel - Initialized Windows Event Log='System' Success; oldest_rec_id='4959'; newest_rec_id='7389'; total_rec='2431' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'System' 02-25-2011 12:53:11.285 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'System': total_events='10' with empty_msg='0'.

02-25-2011 12:53:11.285 INFO WinEventLogInputProcessor - main-thread: Starting to monitor Windows Event Log channels for events

I even checked that Splunk is parsing my config files in deployment app by removing ‘#’ from my comments and double checking the splunkd.log. I would appreciate it if you could help me with this one

0 Karma
Highlighted

Re: Deployment: input.conf is not executing on deployment client

Legend

If you're writing the filename you're using correctly, the issue is due to a typo in the filename: the file should be called "inputs.conf" instead of "input.conf".

0 Karma
Highlighted

Re: Deployment: input.conf is not executing on deployment client

New Member

Sorry, I mistype those file names.
I found something interesting if i remove "windows" from application everything will just work fine is it possible that "windows" and my app are conflicting some how?

0 Karma
Highlighted

Re: Deployment: input.conf is not executing on deployment client

Builder

If the windows app has these outputs disabled these properties will override your properties since "windows" is evaluated before "winev".

0 Karma
Highlighted

Re: Deployment: input.conf is not executing on deployment client

Legend

I dont suppose the client is Windows 2000, is it? Windows 2000 isn't currently supported for collecting WMI or Event Logs.

0 Karma
Highlighted

Re: Deployment: input.conf is not executing on deployment client

New Member

The client is windows XP SP3.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.