Forwarder / Windows / monitor source

vladx · ‎03-01-2017

Hi,

I have the following very simple usecase

-- some logs (these are basically linux logs) are available as a share from a windows machine. Share is mapped to drive Z:
-- universal forwarder installed on this machine and configured to monitor this directory

my relevant part of input.conf looks like this

[monitor://Z:]
recursive = true
disabled = 0

[monitor://Z:\2017\02-09]
disabled = 0

none of them are working and nothing received in Splunk. When I enable eventlog or perfmon sources, these are succesfully indexed

Any idea what's wrong?

Thank you

lguinn2 · ‎03-02-2017

The answer appears to be permissions and is well-described in the comments.

But I would like to point out another problem: your inputs.conf has overlapping stanzas.
Do not do this! The first stanza monitors the entire Z: directory tree. The second stanza is redundant and should be removed. So your inputs.conf should look like this:

[monitor://Z:]
recursive = true
disabled = 0

vladx · ‎03-02-2017

So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files

3no · ‎03-02-2017

Are you running splunkd on a Windows machine ? If so maybe the service is running in a different user context to you. Have you tried to use the full UNC name of the folder instant of Z: ?

You can get this from issuing a NET USE command on a machine that has the relevant Z: drive. It will look something like "\\ServerName\ShareName".

ddrillic · ‎03-02-2017

Good place to start - I can't find my data!

DMohn · ‎03-02-2017

As you are talking about a share: Have you made sure, that your splunk user may access this shared folder?

vladx · ‎03-02-2017

it seems the UNC way is working. At least when I share the files from a windows server. Unfortunately, in my usecase we are sharing from an appliance using Samba and with this there are some access denied errors, but this is not a splunk related issue.

So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files

Thank you again

vladx · ‎03-02-2017

I suppose this is where the dog lied buried. When I copied one of the log from the share to the local disk, it is successfully sent to Splunk, however from the share isn't.

I've changed the user runs splunk forwarder to my domain account and I also made sure the share is accessible using my domain account, but it is still not working. I suppose when I map a drive, it is not visible to forwarder (or any service account), however I can see in the log this

TailingProcessor - Parsing configuration stanza: monitor://Z:.

Any idea?

Thank you

vladx · ‎03-02-2017

it seems the UNC way is working. At least when I share the files from a windows server. Unfortunately, in my usecase we are sharing from an appliance using Samba and with this there are some access denied errors, but this is not a splunk related issue.

So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files

Thank you again

Forwarder / Windows / monitor source

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

Application management with Targeted Application Install for Victoria Experience

Join the Conversation

Forwarder / Windows / monitor source

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

Application management with Targeted Application Install for Victoria Experience