Getting Data In

How monitor logs on a UNC path?



I've been given the task of finding out how we can setup Splunk to monitor logs on a UNC path.

What are the steps in completing such a task?
New to Splunk and I've done some research and I see that the inputs.conf file needs to be configured other than that, not sure where to start.

-Both the Splunk server and the logfiles reside on Linux boxes.
-Let me know if you need additional information.

Any help would be appreciated. Thank you in advance.

Tags (4)
0 Karma


So you got both extremes of answers here .. let's elaborate some.

On Windows, the concept of a "UNC path" is pretty clear and obvious. There's system software like the Multiple UNC Provider and Network Redirectors that help the Windows OS map open requests for UNC paths to remote hosts and so on. From that perspective, @esix_splunk's answer is mostly right. I might have used [monitor://\\\\servername\sharename] instead given the syntax is monitor://. One thing about this approach is that your user running Splunk must - from a Windows perspective - have the appropriate access to be able to reach the CIFS share. This can be ... problematic ... if you are running Splunk under its default "Local System" user. You would have to enable Splunk to run as a Domain Account in order be able to reach CIFS shares. This is a Windows limitation, not a Splunk one.

But, you explicitly said "Linux". In fact, you said "Both the Splunk server and the log files reside on Linux boxes". If that is the case, why in the world are you asking about CIFS? For Linux to Linux, NFS would be vastly less painful to set up. But, if you must do CIFS on linux, observe there's nothing like UNC paths there. You need to actually mount the CIFS filesystems somewhere onto the filesystem tree. Several examples of ways of doing this are in the CentOS Documentation.

All of the above will work, but as @muebel said, best practice is to use a forwarder. Install the Universal Forwarder on the box with the logs, and let it forward to your indexer. This is best practice because mounting a remote filesystem (be it NFS, or CIFS, or Linux, or Windows) introduces a tight coupling between the two hosts. A forwarder is much more robust when problems do come up.

Splunk Employee
Splunk Employee

As long as the Splunk server can access the logs via UNC path, you can monitor that directly. On that server, you would have an input similar to:



You'll want to install the forwarder on the Linux box with the logs, configure monitor inputs for the logs, and then configure the forwarder to output to the splunk server.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!