Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure directory and file monitoring on a universal forwarder?

ageorgiou
Explorer
‎11-22-2015 10:04 PM

Hi,

I've got a universal forwarder and I'm trying to monitor C:\Windows\System32\winevt\Logs. I've tried 2 solutions: CLI and Inputs.conf.

CLI: Splunk add monitor C:\Windows\System32\winevt\Logs
inputs.conf:

[monitor://C:\Windows\System32\winevt\Logs]
disabled = 0

Both solutions are not working and I've tried a combination of the two. Am I missing a step? Are there anyways to troubleshoot this so I can get a clear picture of whats happening ( in this case, not happening)?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ageorgiou
Explorer
‎11-25-2015 06:37 PM

The logs that I was trying to monitor is a Windows Event Log which monitor stanza can't monitor dynamically. To monitor Windows event log you have to use the stanza [WinEventLog]. See this documentation for more details:
http://docs.splunk.com/Documentation/Splunk/6.2.7/Data/MonitorWindowsdata

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ageorgiou
Explorer
‎11-25-2015 06:37 PM

The logs that I was trying to monitor is a Windows Event Log which monitor stanza can't monitor dynamically. To monitor Windows event log you have to use the stanza [WinEventLog]. See this documentation for more details:
http://docs.splunk.com/Documentation/Splunk/6.2.7/Data/MonitorWindowsdata

0 Karma
Reply
Solved! Jump to solution

ageorgiou
Explorer
‎11-23-2015 06:54 PM

I tried putting the path in $SPLUNK_HOME/etc/app/ and it worked but it doesn't monitor the logs in real-time and it seems to only get the logs once.

0 Karma
Reply
Solved! Jump to solution

ageorgiou
Explorer
‎11-25-2015 04:37 PM

The only time the logs are updated is when I restart the forwarder.

0 Karma
Reply
Solved! Jump to solution

NOUMSSI
Builder
‎11-23-2015 08:10 AM

Hi,
Try this

Splunk add monitor C:\Windows\System32\winevt\Logs -index indexName
0 Karma
Reply
Solved! Jump to solution

ageorgiou
Explorer
‎11-23-2015 02:11 PM

This one doesn't seem to be working as well. I've also made sure that the index is created in the Indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...