Getting Data In

How to Recursive monitor all *.log files (in X directory) (via UF on Windows)?

spunk311z
Path Finder

I always struggle with this common task (common for me) -  I have a v8 UF setup on a windows10 machine,  it is logging all of the winEvent logs beautifully (back to my splunk v8 server),  however i need to monitor something specific on this machine.   (NB: i do NOT use deployment-server in anyway, anywhere)

I need this windows UF to monitor all *.log files , recursively, within X Directory. 

in this case, its :

C:\ProgramData\vMix\    (any/all *.log files recursively)

and

C:\Users\pc\Documents\vMixStorage\logs    (any/all *.log files recursively)

So i edit inputs.conf:

notepad++.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf"

and i add these stanzas, one at a time (and then test to see if data is getting to my splunk server): 

 

 

[monitor://C:\Users\pc\Documents\vMixStorage\log\*]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX

[monitor://C:\ProgramData\vMix\...\*.log]
disabled = 0
index = pcs
blacklist = .*stream.*|stream.*
whitelist = *.log
recursive = true
sourcetype = vMIX

[monitor://C:\ProgramData\vMix\*.log]
disabled = 0
index = pcs
blacklist = .*stream.*|stream.*
sourcetype = vMIX

[monitor://C:\Users\pc\Documents\vMixStorage\...\*.log]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX

[monitor://C:\Users\pc\Documents\vMixStorage\logs\]
disabled = 0
index = pcs
blacklist = .*stream.*
whitelist = *.log
recursive = true
sourcetype = vMIX

 

 

 At some point in adding the above, one stanza at a time,  i did get the *.logs to flow in,  however they then stopped updating/ flowing in (but win event log is ofcourse still flowing in, rock solid).

I get this output from  .\splunk.exe list monitor   which to me seems like its NOT what i want (as i *think* i should be seeing those directories under "Monitored Directories"  ,  but i have yet to be able to get that to occur.

 

 

PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk.exe list monitor
Monitored Directories:
                [No directories monitored.]
Monitored Files:
        C:\ProgramData\vMix\*.log
        C:\ProgramData\vMix\...\*.log
        C:\Users\pc\Documents\vMixStorage\...\*.log
        C:\Users\pc\Documents\vMixStorage\log\*
        C:\Users\pc\Documents\vMixStorage\logs\

 

 

btool debug:

 

 

.\splunk.exe cmd btool inputs list --debug
## <snip> ## 
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\ProgramData\vMix\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   blacklist = .*stream.*|stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\ProgramData\vMix\...\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   blacklist = .*stream.*|stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   whitelist = *.log
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\Users\pc\Documents\vMixStorage\...\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\Users\pc\Documents\vMixStorage\log\*]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\Users\pc\Documents\vMixStorage\logs\]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   blacklist = .*stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   whitelist = *.log
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf [monitor://C:\Windows\System32\DHCP]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf crcSalt = <SOURCE>

## <snip> ## 

 

 

Can anyone please help or point me to the correct Stanza i should be using here? 

i really have spent hours searching and reading forum posts,  (which is how i arrived at the stanzas above) as i know this is a common task, however i know im still not doing this correctly.

( + its not working 😞  )  -  thank you!

(appologies for the poor spacing,  i have tried to re-edit but it does not seem to be saving my changes on edit->post)

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

This inputs.conf should work:

[monitor://C:\Users\pc\Documents\vMixStorage]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX
whitelist = \.log
blacklist = stream

[monitor://C:\ProgramData\vMix]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX
whitelist = \.log
blacklist = stream

 

If this input stanza does not work please check the following things:

* Whether index "pcs" is created or not?

* Are you searching the data from the search head? (In case you are forwarding the logs to Splunk distributed or clustered environment.) -> Verify outputs.conf in your machine.

* Look for any warnings and errors in Splunk _internal logs. -> index=_internal (CASE("WARN*") OR CASE("ERROR"))

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...