Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to troubleshoot why inputs.conf from a deployed app is not properly applied to a Universal Forwarder (Win7)?

jacortijo
Explorer
‎03-01-2016 06:10 AM

Hi,

At the moment I am testing Splunk at work. So far, I only have a single Splunk Enterprise instance (acting as deployment server) and a Win7 workstation.
I created a simple app with the purpose of catching EMET events. Its inputs.conf file only contains the following lines:

[WinEventLog://Application] 
disabled = 0 
whitelist= SourceName="EMET" EventCode="(^1$|^2$|^11$|^50$)"
[WinEventLog://Security] 
disabled = 1
[WinEventLog://System] 
disabled = 1

I created the app in the server, created the server class for Windows 7 workstations and assigned the app to that server class.
After restarting both Splunk server and the client, the app files are copied to the client, but it doesn't seem to filter anything.

In order to to do some troubleshouting, I run in the client the following debug command: 

splunk cmd btool inputs list --debug

and I can see in the output that the file was partially parsed... only one line appears to be taken... the two lines disabled =1 were omitted.

Any idea what can be happening? Any tip I could follow?

Many thanks.
Jose

Reply

0YAoNnmRmKDg
Path Finder
‎03-01-2016 06:33 PM

check

the powershell execution policy on the w7 machine
is the deployment server running windows? if show check file permissions
try another simple inputs.conf to monitor a file on the desktop (or similar) to check the deployment and client funtionality

search index=_internal error host=myw7machine` to check for app deployment issues

as a start....

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...