Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Recursive monitor all *.log files (in X directory) (via UF on Windows)?

spunk311z
Path Finder
‎04-02-2022 12:16 PM

I always struggle with this common task (common for me) -  I have a v8 UF setup on a windows10 machine,  it is logging all of the winEvent logs beautifully (back to my splunk v8 server),  however i need to monitor something specific on this machine.   (NB: i do NOT use deployment-server in anyway, anywhere)

I need this windows UF to monitor all *.log files , recursively, within X Directory. 

in this case, its :

C:\ProgramData\vMix\    (any/all *.log files recursively)

and

C:\Users\pc\Documents\vMixStorage\logs    (any/all *.log files recursively)

So i edit inputs.conf:

notepad++.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf"

and i add these stanzas, one at a time (and then test to see if data is getting to my splunk server): 

 

 

[monitor://C:\Users\pc\Documents\vMixStorage\log\*]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX

[monitor://C:\ProgramData\vMix\...\*.log]
disabled = 0
index = pcs
blacklist = .*stream.*|stream.*
whitelist = *.log
recursive = true
sourcetype = vMIX

[monitor://C:\ProgramData\vMix\*.log]
disabled = 0
index = pcs
blacklist = .*stream.*|stream.*
sourcetype = vMIX

[monitor://C:\Users\pc\Documents\vMixStorage\...\*.log]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX

[monitor://C:\Users\pc\Documents\vMixStorage\logs\]
disabled = 0
index = pcs
blacklist = .*stream.*
whitelist = *.log
recursive = true
sourcetype = vMIX

 

 

 At some point in adding the above, one stanza at a time,  i did get the *.logs to flow in,  however they then stopped updating/ flowing in (but win event log is ofcourse still flowing in, rock solid).

I get this output from  .\splunk.exe list monitor   which to me seems like its NOT what i want (as i *think* i should be seeing those directories under "Monitored Directories"  ,  but i have yet to be able to get that to occur.

 

 

PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk.exe list monitor
Monitored Directories:
                [No directories monitored.]
Monitored Files:
        C:\ProgramData\vMix\*.log
        C:\ProgramData\vMix\...\*.log
        C:\Users\pc\Documents\vMixStorage\...\*.log
        C:\Users\pc\Documents\vMixStorage\log\*
        C:\Users\pc\Documents\vMixStorage\logs\

 

 

btool debug:

 

 

.\splunk.exe cmd btool inputs list --debug
## <snip> ## 
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\ProgramData\vMix\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   blacklist = .*stream.*|stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\ProgramData\vMix\...\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   blacklist = .*stream.*|stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   whitelist = *.log
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\Users\pc\Documents\vMixStorage\...\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\Users\pc\Documents\vMixStorage\log\*]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\Users\pc\Documents\vMixStorage\logs\]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   blacklist = .*stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   whitelist = *.log
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf [monitor://C:\Windows\System32\DHCP]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf crcSalt = <SOURCE>

## <snip> ##

 

 

Can anyone please help or point me to the correct Stanza i should be using here? 

i really have spent hours searching and reading forum posts,  (which is how i arrived at the stanzas above) as i know this is a common task, however i know im still not doing this correctly.

( + its not working 😞  )  -  thank you!

(appologies for the poor spacing,  i have tried to re-edit but it does not seem to be saving my changes on edit->post)

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-03-2022 09:06 AM

This inputs.conf should work:

[monitor://C:\Users\pc\Documents\vMixStorage]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX
whitelist = \.log
blacklist = stream

[monitor://C:\ProgramData\vMix]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX
whitelist = \.log
blacklist = stream

 

If this input stanza does not work please check the following things:

* Whether index "pcs" is created or not?

* Are you searching the data from the search head? (In case you are forwarding the logs to Splunk distributed or clustered environment.) -> Verify outputs.conf in your machine.

* Look for any warnings and errors in Splunk _internal logs. -> index=_internal (CASE("WARN*") OR CASE("ERROR"))

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...