Solved: Re: Monitoring a remote server directory from my w...

Ant1D · ‎08-25-2010

Hey,

I am new to Splunk and I have a newbie question 🙂

I have installed Splunk (v.4.1.3) on my workstation choosing the Local System User option. My Splunk instance is able to monitor files stored on my local drives (e.g. C:).

I have read access to log files stored on a remote server but my question is: How can I get my instance of Splunk on my local workstation to monitor the directory on the remote server containing these log files? (My instance of Splunk should be able to index these log files.)

Both the remote server and my workstation have Windows OS. Splunk is not installed on the remote server.

Thanks in advance for your help. Regards, Antoine.

simuvid · ‎08-25-2010

Hi there,

you can specify a shared directory containing the remote logfiles. The Splunk server must be able to read from this directory.

See also the Documentation:

http://www.splunk.com/base/Documentation/4.1.4/admin/MonitorFilesAndDirectories

Hope that helps!

Cheers

View solution in original post

harishnpandey · ‎04-19-2018

Hi Ant1D

Can you please help me to figure out how can we monitor remote log directroy from my local splunk

For e.g. below directory I have shared to everyone but unable to splunk it using FIles & Directories option

\10.172.139.32\d$\splunk

harishnpandey · ‎04-19-2018

I am getting below error:

04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor:///10.172.139.32/d$/splunk.
04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Adding watch on path: \10.172.139.32/d$/splunk.
04-19-2018 16:11:07.889 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'
04-19-2018 16:12:07.713 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'

shankarcv · ‎04-08-2011

hello daniel . can you please share with me how you managed to get it working? I am also trying to access logs on a remote UNIX server but even if I provide the UNC path Splunk is not retrieving the log files on that server.

tomthi · ‎12-17-2010

When I try to run the Indexer service under a different account, the service crashes. I can only run this service under the Local System account. I've tried this on two different machines with the same results.

simuvid · ‎08-25-2010

Hi there,

you can specify a shared directory containing the remote logfiles. The Splunk server must be able to read from this directory.

See also the Documentation:

http://www.splunk.com/base/Documentation/4.1.4/admin/MonitorFilesAndDirectories

Hope that helps!

Cheers

Ant1D · ‎08-26-2010

I have managed to get it working now. Thanks for your help

harishnpandey · ‎04-19-2018

I have configured below parameters to monitor remote path under "c$\Program Files\Splunk\etc\system\default\inputs.conf" as

[monitor:///10.172.139.32/d$/splunk]
index=lm-uscmit-p-finsvcs

[MonitorNoHandle://10.172.139.32/d$/splunk]
index=lm-uscmit-p-finsvcs

However, I am getting below error after restarting Splunk as:

04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor:///10.172.139.32/d$/splunk.
04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Adding watch on path: \10.172.139.32/d$/splunk.
04-19-2018 16:11:07.889 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'
04-19-2018 16:12:07.713 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'

harishnpandey · ‎04-19-2018

Hi

Can you please help me to figure out how can we monitor remote log directroy from my local splunk

For e.g. below directory I have shared to everyone but unable to splunk it using FIles & Directories option

\10.172.139.32\d$\splunk

Ant1D · ‎08-26-2010

I can access the directory of the server from the workstation that Splunk is installed on. What do you mean exactly when you say "running the Splunk Indexer with a SPECIAL ROLE"?

simuvid · ‎08-26-2010

When you share the directory or mount the drive you have to make sure, that if you are running the Splunk Indexer with a special role, that this role can access the remote drives.
Just login to the system that hosts the Splunk Indexer and try to access the remote drive.
If that works Splunk cann also access the drive.

Cheers,

Christian

Ant1D · ‎08-25-2010

In the link you gave, it says the following:

Specify the Full path to the file or directory.

To monitor a shared network drive, enter the following: (or \<mypath> on Windows). Make sure Splunk has read access to the mounted drive, as well as to the files you wish to monitor.

How do I ensure that Splunk has read access to this?

Monitoring a remote server directory from my workstation

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?