Getting Data In

Can't index data on network drives in (VirtualBox WinXP SP3)

Path Finder

Hello all,

I got the problem, that Splunk is not able to index any data which is on the host system. Splunk itself is running as a guest in VirtualBox on Windows XP. I am able to add a monitoring to the host system by selecting

\\vboxsrv\documents\Logauswertungen\Logs

But Splunk won't index these files. Please see My old Thread for further information. Since the other Thread was concerning another issue, I am opining this one.

Kind regards

EDIT: Here are two screenshots showing the InputData and the Indexes:

  1. DataInputs
  2. Indexes

I think it's interesting that Splunk finds some files (actually there are only 2 files and 1 folder within this directory) but won't index them.

Tags (2)
0 Karma
1 Solution

Path Finder

I will use ubuntu server, this will be my answer to this issue...

View solution in original post

Path Finder

I will use ubuntu server, this will be my answer to this issue...

View solution in original post

SplunkTrust
SplunkTrust

good choice 🙂

0 Karma

SplunkTrust
SplunkTrust

Hi Katsche

again, splunkd.log is your friend - check it for errors/messages.

  • are the log files to small to be indexed?
  • are the log files binary?
  • why don't copy the files locally onto your VM and index them then just to see if this works?
  • like ftk said, are there any permission issues?
  • did you fix the 'service accessing UNC windows' stuff?

so many things to check ......... so little time 🙂

Path Finder

So this bridging seems to be missing. I got a final solution: I will use ubuntu server, Windows XP is dead to me...

0 Karma

SplunkTrust
SplunkTrust

your right this is done by the VM tools. but a real share on your host should do the job, if the VM is bridged with the hosts network, else it would not see the hosts share.

0 Karma

Path Finder

I think a found another problem: There is no "Documents" Share within the host system. This is all done by VirtualBox' Shared Folders and the guest additions. When I try to setup a share for everyone directly in my Managed Windows 7 Enterprise I can't see it in the guest system. Moreover the link to uwe-sieber.de describes this workaround for XP, does this even work with Win7 and XP togehter?

0 Karma

Path Finder

I did everything on http://www.uwe-sieber.de/nullsessionshare.html on the host and guest system, it still won't work.
Maybe this is a error of VirtualBox? I am still getting the permissions error.

0 Karma

SplunkTrust
SplunkTrust

okay this was maybe my mistake 🙂 read this: http://www.uwe-sieber.de/nullsessionshare.html and you will (I did) learn, this should be done on your host and not the VM. because you try to access the hosts share and not a share of the VM.

0 Karma

Path Finder

I edited the Registry Entry (added "Documents") and restarted Windows. I still get the Tailing Processor-Permissions-Error. What do I have to do concerning the "Named Pipes"?

-> If your application uses Named Pipes and requires null session support.

From the HKEY_LOCAL_MACHINE subtree, go to the following key:

     \System
       \CurrentControlSet
         \Services
           \LanmanServer
             \Parameters
               \NullSessionPipes

On a new line within the NullSessionShares key, type in the pipe you want to access with a null session.

0 Karma

SplunkTrust
SplunkTrust

as the share is the first value after the servername, it should be 'Documents' in your case.

Path Finder

I may sound stupid now, but I am sill not sure what I have to type. I got "\vboxsrv\Documents\Logauswertungen\Logs\" or "E:\Logauswertungen\Logs\" ("Documents on vboxsrv (E:)") pointing on the same folder. What do I have to type? "Documents", "vboxsrv"? I just don't get it. 😛

0 Karma

SplunkTrust
SplunkTrust

🙂

like it says 'type in the share you want to access' so type in the share you want to access.

🙂

0 Karma

Path Finder

I started working on your fix MuS. What do I have to enter in this step? "On a new line within the NullSessionShares key, type in the share you want to access with a null session (for example: "PUBLIC")"

0 Karma

SplunkTrust
SplunkTrust

here we go: Insufficient permissions!

fix the UNC windows 'bug' and your set 😉

Path Finder

@Ayn: I will check your link and post the results as soon as possible.

0 Karma

Path Finder

@MuS: This is what I found in the splunkd.log: "08-18-2011 09:58:58.894 +0200 WARN TailingProcessor - Insufficient permissions to read file='\VBOXSVR\Documents\Logauswertung\Logs\SystemOut\14.SystemOut.log' (hint: Incorrect function.).
08-18-2011 09:58:58.894 +0200 WARN TailingProcessor - Insufficient permissions to read file='\VBOXSVR\Documents\Logauswertung\Logs\SystemOut\15.SystemOut.log' (hint: Incorrect function.).
"

0 Karma

SplunkTrust
SplunkTrust

Ayn's tool tip is very handy use it.
but I still think your basic problem is that the service account is not able to access the UNC share - follow this http://support.microsoft.com/kb/124184/ to fix it. this has nothing to do with your filesystem permissions or if you are able to click in explorer and open a log file.

Legend

On a related note, this tool could come in handy: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

It lists the state of each input along with descriptions on why some inputs aren't indexed (if any) etc. Really useful!

Path Finder

Except the third one, I don't get it. -> "3.You can also try by making the service as interactive by specifying SERVICE_INTERACTIVE_PROCESS in the servicetype parameter flag of your CreateService() function but this will be limited only till XP as Vista and 7 donot support this feature."

0 Karma

Path Finder

(4) I thought the permissions are granted the second the guest additions in VirtualBox are setup. I can access all of the files in Windows Explorer. No permission issues visible to me. (5) I tried all of the options given here: http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service/3821317...

0 Karma