Getting Data In

Is it possible to ingest logs written to NAS (UNC Paths) ?

paimonsoror
Builder

Saw some questions posted on this topic but not very many answers that were accepted.

I was wondering if it was possible to ingest logs that sit on a NAS share. My assumption is that just like any location, as long as the NAS is mounted to the host that the forwarder sits on, it can ingest the logs, but wasn't sure if there were other best practices that should be followed.

0 Karma
1 Solution

paimonsoror
Builder

Just wanted to update this original question by stating that lguinn was correct. I did come across other posts and unfortunately my lack of finding answers was the terminology I was using. For other's looking for answers to this, start to search for monitoring "UNC Paths". None the less, the answers are simply to create a stanza with the full unc path like the following:

[monitor://\\srrnap511.example.com\Logs\Cache*.log]
index = app_srrlog
sourcetype = srrlog:cache
ignoreOlderThan = 7d

In the case above, \srrnap511.example.com\Logs\Cache*.log is the UNC path, or the NAS location of the logs we are looking to monitor. There is one caveat however, and that is that the splunk service MUST run as a service account. The default local user doesn't have access to network locations when running as a service.

View solution in original post

paimonsoror
Builder

Just wanted to update this original question by stating that lguinn was correct. I did come across other posts and unfortunately my lack of finding answers was the terminology I was using. For other's looking for answers to this, start to search for monitoring "UNC Paths". None the less, the answers are simply to create a stanza with the full unc path like the following:

[monitor://\\srrnap511.example.com\Logs\Cache*.log]
index = app_srrlog
sourcetype = srrlog:cache
ignoreOlderThan = 7d

In the case above, \srrnap511.example.com\Logs\Cache*.log is the UNC path, or the NAS location of the logs we are looking to monitor. There is one caveat however, and that is that the splunk service MUST run as a service account. The default local user doesn't have access to network locations when running as a service.

lguinn2
Legend

Splunk can ingest files from a NAS just fine. NAS isn't good for storing Splunk indexes, but it should work fine as a source.
I don't think you need to do anything special at all.
To monitor files, Splunk needs read permissions on the files and the ability to connect to the via the mount point. That should be all.

paimonsoror
Builder

Hi lguinn, just wondering if you saw my follow up question 🙂 Thanks!

0 Karma

paimonsoror
Builder

Ok great, thanks for the quick answer! Now, would this hold true if the NAS drive isn't mounted directly. Our security team is working towards moving away from mounts. Would I be able to tell the forwader to connect to the remote path? i.e \MyRemoteNAS\my\folder ?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...