Getting Data In

How to monitor a Error Log file on Remote Windows machine via the inputs.conf ?

Motivator

Hi All, We have more than 100 + servers that needs to be monitored via splunk to capture SQL Error logs from these servers. We have deployment server to manage the app configuration centrally and We have UF agent running in all these nodes.

W have downloaded the SQL Add-on app from splunk base to monitor the file.
Default monitoring stanza provide in MS SQL Add-on

Inputs.conf
ERROR Log for SQL Server 2014
[monitor://C:\Program Files\Microsoft SQL Server\MSSQL11\MSSQL\Log\ERRORLOG*]
sourcetype = mssql:errorlog
disabled = 1

My Question : How to configure inputs.conf to monitor the Error Log file placed under different paths on the remote node.

Example : Test01 Test02 Test03

Node=test01
SQL Version: Microsoft SQL Server 2014 - 12.0.2000.8 (X64)
File Monitoring:D:\Data\MSSQL12.MSSQLSERVER\MSSQL\Log\ERRORLOG

Node=test02
SQL Version: Microsoft SQL Server 2014 - 12.0.4100.1 (X64)
File Monitoring:C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log\ERRORLOG
Node=test03

SQL Version: Microsoft SQL Server 2014 - 12.0.2000.8 (X64)
File Monitoring: 😧 \Program Files\Microsoft SQLServer\MSSQL12.SCOM2012RS\MSSQL\Log\ERRORLOG

Kindly guide me on how to setup an inputs.conf to monitor Error.log file placed under different paths on different nodes from remote nodes.
thanks in advance.

Tags (2)
0 Karma

Builder

If I understand correctly, you could just keep an inputs.conf that defines all three paths. Of course, just one of the paths will actually hit the log on each UF, but that doesn't really matter, it should work fine. The config would then look something like the following.

[monitor://D:\Data\MSSQL12.MSSQLSERVER\MSSQL\Log\ERRORLOG]
    sourcetype = mssql:errorlog
    disabled = 1

 [monitor://C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log\ERRORLOG]
    sourcetype = mssql:errorlog
    disabled = 1

 [monitor://D:\Program Files\Microsoft SQLServer\MSSQL12.SCOM2012RS\MSSQL\Log\ERRORLOG]
    sourcetype = mssql:errorlog
    disabled = 1
0 Karma

Motivator

Hi hettervi, thanks for your effort on this, hey I have planned to create six different App and each app will be containing respective SQL version config details Example : MS SQL 2014 Version

APP name : Test-IA-MS SQL2014

Inputs.conf Details
ERROR Log for SQL Server 2014
[monitor:// C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log\ERRORLOG*]
[monitor:// D:\Data\MSSQL12.MSSQLSERVER\MSSQL\Log\ERRORLOG*]
[monitor:// D:\Program Files\Microsoft SQL Server\MSSQL12.SCOM2012RS\MSSQL\Log\ERRORLOG*]
[monitor:// D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Log\ERRORLOG*]
[monitor:// D:\Program Files\Microsoft SQL Server\MSSQL12.SQL2014\MSSQL\Log\ERRORLOG*]
sourcetype = mssql:errorlog
index = windows
disabled = 1

This app will be pushed / managed from deployment server to remote nodes.

I have following questions before proceeding for the Database configuration in splunk.

Questions:

1) Should I need to copy/push entire content of "Splunk_TA_microsoft-sqlserver" to the remote nodes or we can just keep the inputs.conf, props.conf, default.meta.conf , since we are going to use this app "Test-IA-MS SQL2014" only to fetch the Error log details from the SQL server machine.

2) Should I need to create an identity with user name and password for each database, then we have almost 100 + nodes with different SQL version, what should be done. Or We can create a common identity with user name and password, that has complete access to the data that splunk will fetch from that database.

3) How to configure the Database inputs in DB connect, We have DB connect version 3.0.3 but when I checked the splunk Add-on for Microsoft SQL server documentation, we can choose DB Connect v3.1 inputs for the Splunk Add-on for Microsoft SQL Server or DB Connect v2 inputs for the Splunk Add-on for Microsoft SQL Server. So in this case which type of configuration inputs should be used.

4) I am planning to use the default template provide in the Splunk SQL server add on for configuring the database input. so in this how to configure it via DB connect.

5) While configuring the Database input via DB connect GUI, --> Datalab-->new inputs--> Name-->Description --> App name --> In this case which app should I need to select to store the inputs, do i need to choose DB connect app or Splunk Add-on for MS SQL, as i need to monitor the MS SQL database instances.

Kindly guide me on the above questions.
thanks in advance.

0 Karma

Builder

I have little experience with Splunk DB Connect and the Splunk Add-on for Microsoft SQL Server, but if the log files are written to file, there is no need for any additional TAs on the UFs. Your custom apps with inputs.conf should do the trick. You probably need to keep the SQL TA on the indexers for parsing and index definitions, as least.

If you need to read records from a database, as well the files located on disk, I can give you no good answer on technical questions about Splunk DB Connect. You will have to create an SQL query in the app, and make it read the records in the database incrementally. Make sure that records are only appended consistently to the end or back of the database, strange things might happen if not.

0 Karma

Motivator

thanks hettervi, I hope the below stanza will be fine to fetch and index the data related to SQL Error.log s.

Inputs.conf Details
ERROR Log for SQL Server 2014
[monitor:// C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log\ERRORLOG*]
[monitor:// D:\Data\MSSQL12.MSSQLSERVER\MSSQL\Log\ERRORLOG*]
[monitor:// D:\Program Files\Microsoft SQL Server\MSSQL12.SCOM2012RS\MSSQL\Log\ERRORLOG*]
[monitor:// D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Log\ERRORLOG*]
[monitor:// D:\Program Files\Microsoft SQL Server\MSSQL12.SQL2014\MSSQL\Log\ERRORLOG*]
sourcetype = mssql:errorlog
index = windows
disabled = 1

0 Karma

Motivator

Hi All, Can anyone guide me on how to setup an inputs.conf to monitor Error.log file placed under different paths on multiple remote nodes.

thanks in advance.

0 Karma