Getting Data In

How to Recursive monitor all *.log files (in X directory) (via UF on Windows)?

spunk311z
Path Finder

I always struggle with this common task (common for me) -  I have a v8 UF setup on a windows10 machine,  it is logging all of the winEvent logs beautifully (back to my splunk v8 server),  however i need to monitor something specific on this machine.   (NB: i do NOT use deployment-server in anyway, anywhere)

I need this windows UF to monitor all *.log files , recursively, within X Directory. 

in this case, its :

C:\ProgramData\vMix\    (any/all *.log files recursively)

and

C:\Users\pc\Documents\vMixStorage\logs    (any/all *.log files recursively)

So i edit inputs.conf:

notepad++.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf"

and i add these stanzas, one at a time (and then test to see if data is getting to my splunk server): 

 

 

[monitor://C:\Users\pc\Documents\vMixStorage\log\*]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX

[monitor://C:\ProgramData\vMix\...\*.log]
disabled = 0
index = pcs
blacklist = .*stream.*|stream.*
whitelist = *.log
recursive = true
sourcetype = vMIX

[monitor://C:\ProgramData\vMix\*.log]
disabled = 0
index = pcs
blacklist = .*stream.*|stream.*
sourcetype = vMIX

[monitor://C:\Users\pc\Documents\vMixStorage\...\*.log]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX

[monitor://C:\Users\pc\Documents\vMixStorage\logs\]
disabled = 0
index = pcs
blacklist = .*stream.*
whitelist = *.log
recursive = true
sourcetype = vMIX

 

 

 At some point in adding the above, one stanza at a time,  i did get the *.logs to flow in,  however they then stopped updating/ flowing in (but win event log is ofcourse still flowing in, rock solid).

I get this output from  .\splunk.exe list monitor   which to me seems like its NOT what i want (as i *think* i should be seeing those directories under "Monitored Directories"  ,  but i have yet to be able to get that to occur.

 

 

PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk.exe list monitor
Monitored Directories:
                [No directories monitored.]
Monitored Files:
        C:\ProgramData\vMix\*.log
        C:\ProgramData\vMix\...\*.log
        C:\Users\pc\Documents\vMixStorage\...\*.log
        C:\Users\pc\Documents\vMixStorage\log\*
        C:\Users\pc\Documents\vMixStorage\logs\

 

 

btool debug:

 

 

.\splunk.exe cmd btool inputs list --debug
## <snip> ## 
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\ProgramData\vMix\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   blacklist = .*stream.*|stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\ProgramData\vMix\...\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   blacklist = .*stream.*|stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   whitelist = *.log
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\Users\pc\Documents\vMixStorage\...\*.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\Users\pc\Documents\vMixStorage\log\*]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   [monitor://C:\Users\pc\Documents\vMixStorage\logs\]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   blacklist = .*stream.*
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   disabled = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dc_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_dns_name = 
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              evt_resolve_ad_obj = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                                host = vMIX-JCv71-p1000
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   index = pcs
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   recursive = true
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   sourcetype = vMIX
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\local\inputs.conf   whitelist = *.log
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf [monitor://C:\Windows\System32\DHCP]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                              _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\apps\FINAL_Splunk_TA_windowsLOCALip\default\inputs.conf crcSalt = <SOURCE>

## <snip> ## 

 

 

Can anyone please help or point me to the correct Stanza i should be using here? 

i really have spent hours searching and reading forum posts,  (which is how i arrived at the stanzas above) as i know this is a common task, however i know im still not doing this correctly.

( + its not working 😞  )  -  thank you!

(appologies for the poor spacing,  i have tried to re-edit but it does not seem to be saving my changes on edit->post)

0 Karma

VatsalJagani
Super Champion

This inputs.conf should work:

[monitor://C:\Users\pc\Documents\vMixStorage]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX
whitelist = \.log
blacklist = stream

[monitor://C:\ProgramData\vMix]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX
whitelist = \.log
blacklist = stream

 

If this input stanza does not work please check the following things:

* Whether index "pcs" is created or not?

* Are you searching the data from the search head? (In case you are forwarding the logs to Splunk distributed or clustered environment.) -> Verify outputs.conf in your machine.

* Look for any warnings and errors in Splunk _internal logs. -> index=_internal (CASE("WARN*") OR CASE("ERROR"))

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...