Getting Data In

What is the correct method to consume symlinks?

justinbarta
Explorer

Hi,

I'm attempting to consume MSSQL ERROR logs from 800+ systems with different log locations.

The current approach is to configure a common directory on the C drive c:\mssql logs\ with up to 10 symlink links within.
Each link corresponds to LOG folders of different MSSQL Instances.

C:\MSSQL LOGS\LOG1
C:\MSSQL LOGS\LOG2
C:\MSSQL LOGS\LOG3 ... etc

For example symlink LOG1 points to C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Log

My current inputs.conf is not working however one that points to the actual does.

I need 2 questions answered.
1. What is the correct method to consume symlinks
2. Is there a better approach to deploy & consume MSSQL ERROR logs from a large amount of systems.
Thanks

[monitor://C:\MSSQL LOGS*] - Does not work
[monitor://C:\MSSQL LOGS\LOG4*] - Does not work

inputs.conf

[monitor://C:\MSSQL LOGS*]
followSymlink = true
recursive = true
index = stage_idx
sourcetype = mssql:errorlog
disabled = 0

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi
did you tried to use SQL Server TA ( https://splunkbase.splunk.com/app/2648/ )?

Bye.
Giuseppe

0 Karma

justinbarta
Explorer

bump......

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...