Getting Data In

Is it possible to ingest logs written to NAS (UNC Paths) ?

Builder

Saw some questions posted on this topic but not very many answers that were accepted.

I was wondering if it was possible to ingest logs that sit on a NAS share. My assumption is that just like any location, as long as the NAS is mounted to the host that the forwarder sits on, it can ingest the logs, but wasn't sure if there were other best practices that should be followed.

0 Karma
1 Solution

Builder

Just wanted to update this original question by stating that lguinn was correct. I did come across other posts and unfortunately my lack of finding answers was the terminology I was using. For other's looking for answers to this, start to search for monitoring "UNC Paths". None the less, the answers are simply to create a stanza with the full unc path like the following:

[monitor://\\srrnap511.example.com\Logs\Cache*.log]
index = app_srrlog
sourcetype = srrlog:cache
ignoreOlderThan = 7d

In the case above, \srrnap511.example.com\Logs\Cache*.log is the UNC path, or the NAS location of the logs we are looking to monitor. There is one caveat however, and that is that the splunk service MUST run as a service account. The default local user doesn't have access to network locations when running as a service.

View solution in original post

0 Karma

Builder

Just wanted to update this original question by stating that lguinn was correct. I did come across other posts and unfortunately my lack of finding answers was the terminology I was using. For other's looking for answers to this, start to search for monitoring "UNC Paths". None the less, the answers are simply to create a stanza with the full unc path like the following:

[monitor://\\srrnap511.example.com\Logs\Cache*.log]
index = app_srrlog
sourcetype = srrlog:cache
ignoreOlderThan = 7d

In the case above, \srrnap511.example.com\Logs\Cache*.log is the UNC path, or the NAS location of the logs we are looking to monitor. There is one caveat however, and that is that the splunk service MUST run as a service account. The default local user doesn't have access to network locations when running as a service.

View solution in original post

0 Karma

Legend

Splunk can ingest files from a NAS just fine. NAS isn't good for storing Splunk indexes, but it should work fine as a source.
I don't think you need to do anything special at all.
To monitor files, Splunk needs read permissions on the files and the ability to connect to the via the mount point. That should be all.

Builder

Hi lguinn, just wondering if you saw my follow up question 🙂 Thanks!

0 Karma

Builder

Ok great, thanks for the quick answer! Now, would this hold true if the NAS drive isn't mounted directly. Our security team is working towards moving away from mounts. Would I be able to tell the forwader to connect to the remote path? i.e \MyRemoteNAS\my\folder ?

0 Karma