Getting Data In

Forwarder / Windows / monitor source

vladx
New Member

Hi,

I have the following very simple usecase

-- some logs (these are basically linux logs) are available as a share from a windows machine. Share is mapped to drive Z:
-- universal forwarder installed on this machine and configured to monitor this directory

my relevant part of input.conf looks like this

[monitor://Z:]
recursive = true
disabled = 0

[monitor://Z:\2017\02-09]
disabled = 0

none of them are working and nothing received in Splunk. When I enable eventlog or perfmon sources, these are succesfully indexed

Any idea what's wrong?

Thank you

Tags (2)
0 Karma

lguinn2
Legend

The answer appears to be permissions and is well-described in the comments.

But I would like to point out another problem: your inputs.conf has overlapping stanzas.
Do not do this! The first stanza monitors the entire Z: directory tree. The second stanza is redundant and should be removed. So your inputs.conf should look like this:

[monitor://Z:]
recursive = true
disabled = 0
0 Karma

vladx
New Member

So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files

0 Karma

3no
Communicator

Are you running splunkd on a Windows machine ? If so maybe the service is running in a different user context to you. Have you tried to use the full UNC name of the folder instant of Z: ?

You can get this from issuing a NET USE command on a machine that has the relevant Z: drive. It will look something like "\\ServerName\ShareName".

0 Karma

ddrillic
Ultra Champion

Good place to start - I can't find my data!

0 Karma

DMohn
Motivator

As you are talking about a share: Have you made sure, that your splunk user may access this shared folder?

0 Karma

vladx
New Member

it seems the UNC way is working. At least when I share the files from a windows server. Unfortunately, in my usecase we are sharing from an appliance using Samba and with this there are some access denied errors, but this is not a splunk related issue.

So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files

Thank you again

0 Karma

vladx
New Member

I suppose this is where the dog lied buried. When I copied one of the log from the share to the local disk, it is successfully sent to Splunk, however from the share isn't.

I've changed the user runs splunk forwarder to my domain account and I also made sure the share is accessible using my domain account, but it is still not working. I suppose when I map a drive, it is not visible to forwarder (or any service account), however I can see in the log this

TailingProcessor - Parsing configuration stanza: monitor://Z:.

Any idea?

Thank you

0 Karma

vladx
New Member

it seems the UNC way is working. At least when I share the files from a windows server. Unfortunately, in my usecase we are sharing from an appliance using Samba and with this there are some access denied errors, but this is not a splunk related issue.

So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files

Thank you again

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.