- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure inputs.conf to monitor evtx files from a UNC path?
Hi all,
I have a search head running on Windows operation system and I want to monitor evt & evtx (Windows Events-Logs files) from UNC path.
I have tried many ways to do it, but with no success - I saw the monitor when I open the Data Inputs on Splunk Web, but no events are coming into splunk.
I tried to edit inputs.conf file on $SPLUNK_HOME\etc\system\local
with this:
[monitor://\\servername\share_path]
disable = false (or 0)
host = HOST
index = main
and
[monitor:\\servername\share_path]
disable = false (or 0)
host = HOST
index = main
I think it is important for many people so please help me to deal with this and make reference to others.
Thanks,
Omer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/99b36/99b36c76c183130b2a514898a8d1cb287cb4d5b8" alt="Sarmbrister Sarmbrister"
After you began to index your evtx file did you data come in clean? I am currently having this issue and the data is coming across null for me. I can't figure out how to fix it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/9dd94/9dd94b2e112752e754d596f78e5ce328b89fc899" alt="woodcock woodcock"
This will work:
[monitor://servernameshare_path]
sourcetype = evtx_from_UNC
index = main
The problem may be that you did not set sourcetype
. Also, setting host
to the string HOST
seems silly and it would be better for you to know the host of the machine that had the file so I removed that. Note that in the end, the stanza header should have 3 total slashes (2 forward and 1 back) after the colon like this: [monitor://\var\log/evtx\*.log]
or whatever.
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""