Getting Data In

Can't index data on network drives in (VirtualBox WinXP SP3)

Katsche
Path Finder

Hello all,

I got the problem, that Splunk is not able to index any data which is on the host system. Splunk itself is running as a guest in VirtualBox on Windows XP. I am able to add a monitoring to the host system by selecting

\\vboxsrv\documents\Logauswertungen\Logs

But Splunk won't index these files. Please see My old Thread for further information. Since the other Thread was concerning another issue, I am opining this one.

Kind regards

EDIT: Here are two screenshots showing the InputData and the Indexes:

  1. DataInputs
  2. Indexes

I think it's interesting that Splunk finds some files (actually there are only 2 files and 1 folder within this directory) but won't index them.

Tags (2)
0 Karma
1 Solution

Katsche
Path Finder

I will use ubuntu server, this will be my answer to this issue...

View solution in original post

Katsche
Path Finder

I will use ubuntu server, this will be my answer to this issue...

MuS
SplunkTrust
SplunkTrust

good choice 🙂

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Katsche

again, splunkd.log is your friend - check it for errors/messages.

  • are the log files to small to be indexed?
  • are the log files binary?
  • why don't copy the files locally onto your VM and index them then just to see if this works?
  • like ftk said, are there any permission issues?
  • did you fix the 'service accessing UNC windows' stuff?

so many things to check ......... so little time 🙂

Katsche
Path Finder

So this bridging seems to be missing. I got a final solution: I will use ubuntu server, Windows XP is dead to me...

0 Karma

MuS
SplunkTrust
SplunkTrust

your right this is done by the VM tools. but a real share on your host should do the job, if the VM is bridged with the hosts network, else it would not see the hosts share.

0 Karma

Katsche
Path Finder

I think a found another problem: There is no "Documents" Share within the host system. This is all done by VirtualBox' Shared Folders and the guest additions. When I try to setup a share for everyone directly in my Managed Windows 7 Enterprise I can't see it in the guest system. Moreover the link to uwe-sieber.de describes this workaround for XP, does this even work with Win7 and XP togehter?

0 Karma

Katsche
Path Finder

I did everything on http://www.uwe-sieber.de/nullsessionshare.html on the host and guest system, it still won't work.
Maybe this is a error of VirtualBox? I am still getting the permissions error.

0 Karma

MuS
SplunkTrust
SplunkTrust

okay this was maybe my mistake 🙂 read this: http://www.uwe-sieber.de/nullsessionshare.html and you will (I did) learn, this should be done on your host and not the VM. because you try to access the hosts share and not a share of the VM.

0 Karma

Katsche
Path Finder

I edited the Registry Entry (added "Documents") and restarted Windows. I still get the Tailing Processor-Permissions-Error. What do I have to do concerning the "Named Pipes"?

-> If your application uses Named Pipes and requires null session support.

From the HKEY_LOCAL_MACHINE subtree, go to the following key:

     \System
       \CurrentControlSet
         \Services
           \LanmanServer
             \Parameters
               \NullSessionPipes

On a new line within the NullSessionShares key, type in the pipe you want to access with a null session.

0 Karma

MuS
SplunkTrust
SplunkTrust

as the share is the first value after the servername, it should be 'Documents' in your case.

Katsche
Path Finder

I may sound stupid now, but I am sill not sure what I have to type. I got "\vboxsrv\Documents\Logauswertungen\Logs\" or "E:\Logauswertungen\Logs\" ("Documents on vboxsrv (E:)") pointing on the same folder. What do I have to type? "Documents", "vboxsrv"? I just don't get it. 😛

0 Karma

MuS
SplunkTrust
SplunkTrust

🙂

like it says 'type in the share you want to access' so type in the share you want to access.

🙂

0 Karma

Katsche
Path Finder

I started working on your fix MuS. What do I have to enter in this step? "On a new line within the NullSessionShares key, type in the share you want to access with a null session (for example: "PUBLIC")"

0 Karma

MuS
SplunkTrust
SplunkTrust

here we go: Insufficient permissions!

fix the UNC windows 'bug' and your set 😉

Katsche
Path Finder

@Ayn: I will check your link and post the results as soon as possible.

0 Karma

Katsche
Path Finder

@MuS: This is what I found in the splunkd.log: "08-18-2011 09:58:58.894 +0200 WARN TailingProcessor - Insufficient permissions to read file='\VBOXSVR\Documents\Logauswertung\Logs\SystemOut\14.SystemOut.log' (hint: Incorrect function.).
08-18-2011 09:58:58.894 +0200 WARN TailingProcessor - Insufficient permissions to read file='\VBOXSVR\Documents\Logauswertung\Logs\SystemOut\15.SystemOut.log' (hint: Incorrect function.).
"

0 Karma

MuS
SplunkTrust
SplunkTrust

Ayn's tool tip is very handy use it.
but I still think your basic problem is that the service account is not able to access the UNC share - follow this http://support.microsoft.com/kb/124184/ to fix it. this has nothing to do with your filesystem permissions or if you are able to click in explorer and open a log file.

Ayn
Legend

On a related note, this tool could come in handy: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

It lists the state of each input along with descriptions on why some inputs aren't indexed (if any) etc. Really useful!

Katsche
Path Finder

Except the third one, I don't get it. -> "3.You can also try by making the service as interactive by specifying SERVICE_INTERACTIVE_PROCESS in the servicetype parameter flag of your CreateService() function but this will be limited only till XP as Vista and 7 donot support this feature."

0 Karma

Katsche
Path Finder

(4) I thought the permissions are granted the second the guest additions in VirtualBox are setup. I can access all of the files in Windows Explorer. No permission issues visible to me. (5) I tried all of the options given here: http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service/3821317...

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...