Why can't a logfile that Splunk is monitoring be a...

schose · ‎05-27-2015

Hi all,

I'm logging the output of scheduled tasks to a central CIFS location. On the fileserver hosting the CIFS, I installed the splunk forwarder.

inputs.conf

[monitor://D:\rebootlogs]
disabled = false
host_regex = reboot-(.+)\.log$
index = temp
sourcetype = rebootlogs

When splunkforwarder is running, the files are getting indexed. Unfortunately, from time to time it happens that the script cannot write to the logfile and log messages are getting lost! I'm using "add-content" cmdlet in the powershell script.

see screenshot:

Which setting should be tweaked to avoid access violations and log messages to get lost? Installing the splunkforwarder on each client and index it locally is not intended.

m4him7 · ‎05-27-2015

Are you having Splunk run the script?
Check:
https://answers.splunk.com/answers/151792/how-to-import-text-file-results-of-a-powershell-script-whe...
https://answers.splunk.com/answers/151792/how-to-import-text-file-results-of-a-powershell-script-whe...

https://answers.splunk.com/answers/151962/how-to-configure-scripted-inputs-and-check-if-they-are-run...

I hope those give you some ideas.

schose · ‎05-28-2015

Hi,

No, the script should not be scheduled by Splunk. It's running "on demand" and is scheduled by a 3rd party solution. I just want to display the output in splunk

Why can't a logfile that Splunk is monitoring be accessed, preventing a script from writing to the file and log messages are getting lost?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?