Getting Data In

How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

hastrike
New Member

We are wanting to modify our Splunk forwarders on workstations to look at other log files and I am curious how to go about doing this.The location of the log files on the computers are as follows. I am really new to Splunk.

Log Files within this path: C:\Users\\AppData\Local\Temp\inin_tracing\

IC Client:

interactionclient.ininlog
interactionclient_1.ininlog
interactionclient_2.ininlog

0 Karma
1 Solution

javiergn
Super Champion

Hi @hastrike, in future please remember to include your paths, queries and anything with special characters between code tags (button with 1s and 0s) otherwise those characters will be removed when posting your comments.

Anyway, if you just want to add a new file input to your Universal Forwarder, the best place to start is here. You can also find all the advanced details by reading the inputs.conf specification.

In your particular case, it will probably be something like this what you need to configure in your inputs.conf:

[monitor://C:\Users\AppData\Local\Temp\inin_tracing\*.ininlog]
disabled = 0
index = your_index_name
sourcetype = your_sourcetype_name

[monitor://C:\Windows\Temp\inin_tracing\*.ininlog]
disabled = 0
index = your_index_name
sourcetype = your_sourcetype_name

View solution in original post

renjith_nair
Legend

Add the log file stanza to your SPLUNK_HOME/etc/system/local/inputs.conf

[monitor://C:\Users\AppDate\Local\Temp\inin_tracing\interactionclient_*.ininlog]
index= your index name
other fileds=other vlaues

[monitor://C:\Windows\Temp\inin_tracing\screencapturetransferserviceu_*.ininlog]
index= your index name
other fileds=other vlaues

See here for reference : http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Editinputs.conf

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

hastrike
New Member

thank you for the response.

0 Karma

javiergn
Super Champion

Hi @hastrike, in future please remember to include your paths, queries and anything with special characters between code tags (button with 1s and 0s) otherwise those characters will be removed when posting your comments.

Anyway, if you just want to add a new file input to your Universal Forwarder, the best place to start is here. You can also find all the advanced details by reading the inputs.conf specification.

In your particular case, it will probably be something like this what you need to configure in your inputs.conf:

[monitor://C:\Users\AppData\Local\Temp\inin_tracing\*.ininlog]
disabled = 0
index = your_index_name
sourcetype = your_sourcetype_name

[monitor://C:\Windows\Temp\inin_tracing\*.ininlog]
disabled = 0
index = your_index_name
sourcetype = your_sourcetype_name

hastrike
New Member

can your sourcetype be different but index be the same between all the different locations you are monitoring? So the index name might be the name of the application and the source type might be ICCLient, screencapture, interactionadministrator, etc.... for each section.

I would just add each monitored folder for log one right below each other in the inputs.conf file.

Is there any thing I need to change on the outputs.conf?

0 Karma

hastrike
New Member

So I do have one question on this if you have a path that you want to look at the logs in a folder with that specific date on it can you just put like this in the path of file for it to analyze the day it is and pick the folder with the correct date?

[monitor://c:\users\%userprofile%\AppData\Local\Temp\inin_Tracing\interactionclient*]
disabled=0
index = i3
sourcetype = interaction_client
ignoreOlderThan = 1y

0 Karma

hastrike
New Member
[monitor://c:\users\%userprofile%\AppData\Local\Temp\inin_Tracing\<Current Date>\screencaptureclient*]
disabled=0
index = i3
sourcetype = screencapture_client
ignoreOlderThan = 1y

This would be the actual code I was going to use for the input.conf forwarder.

0 Karma

javiergn
Super Champion

Hi, you can't use dynamic paths in your monitor stanza as far as I know.
You will need to hardcode the exact full path in advance or use regex to specify a date format:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Specifyinputpathswithwildcards

You can use whitelists and blacklists to monitor only those files you are interested in:

Keep in mind Splunk is going to remember which files it has already parsed.

0 Karma

javiergn
Super Champion

Both index and sourcetype can be different if you want to.
You usually tend to group similar sources by the same sourcetype and then use index to group data by retention and access control. There are obviously lots of other considerations, so this is on a very high level.

With regards to your second question. If you follow the right steps to configure your outputs.conf, then in principle you don't need to modify that again unless you want to do things like redirecting to multiple destinations, etc.

Take a look at these two Wikis, they are both great and should be part of any Splunk 101 training course:

https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
https://wiki.splunk.com/Things_I_wish_I_knew_then

0 Karma

hastrike
New Member

I guess my other question is that we do have forwarders on the computers reporting back some information. Would we just modify the input.conf file with the other folders we want to monitor and the output.conf is the same for all inputs or anytime we want to monitor another folder with logs do we have to have a separate splunk forwarder output.conf file as well as input file?

0 Karma

hastrike
New Member

other logs
Log Files within this path: C:\Windows\Temp\inin_tracing\

Screen Capture Transfer Log Files
screencapturetransferserviceu.ininlog
screencapturetransferserviceu_1.ininlog
screencapturetransferserviceu_2.ininlog

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...