Getting Data In
Highlighted

Windows Mapped Drive and Light Forwarding

Engager

I have a VoIP telephony server and I'm hesitant to place a splunk light forwarder on this server at this time (CR wont get passed). I have shared the log files so that I can mapped a windows drive and now see these files as drive Z:. I have a light forwarder set up on the box that I have now created the mapped drive on and have added the following to the $SPLUNK_HOME\etc\system\local\inputs.conf

[monitor://z:\*.log]
disabled = false
sourcetype = CDR_Record
host = pabx

Is there something that I am missing or is it not possible to monitor log files on a mapped drive? Many Thanks

Tags (2)
0 Karma
Highlighted

Re: Windows Mapped Drive and Light Forwarding

Splunk Employee
Splunk Employee

What user are you running Splunk as? The same user with the drive mapping? When is the mapping set up?

0 Karma
Highlighted

Re: Windows Mapped Drive and Light Forwarding

Engager

Both the user and the user running splunk are admin. Neither computer is on the domain and the logon credentials are added as part of the drive mapping. Local eventlogs and WMI information are forwarding fine. Please note disable = false should read disabled = false

Highlighted

Re: Windows Mapped Drive and Light Forwarding

Splunk Employee
Splunk Employee

Drive mappings that trigger a windows password prompt at the time that the drive is accessed will not work, but so long as the path is passively accessible by the user, it should work. Is this as simple as your log files being in a subdirectory on that drive?

0 Karma
Highlighted

Re: Windows Mapped Drive and Light Forwarding

Splunk Employee
Splunk Employee

Persistent drive mappings for a user are only established for interactive logon sessions, which means that the Splunk service account won't see these mappings. I was going to suggest you use UNC paths instead, but these won't work unless you have machines on the domain (or if matching user accounts on both non-domain machines have the same password). This: http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service provides some ways to deal with this.

Highlighted

Re: Windows Mapped Drive and Light Forwarding

Motivator

Gkapanathy is correct. Only interactive logon sessions can access mapped drives. The best bet is to create a share on the log server and access via UNC path from the forwarder.

Highlighted

Re: Windows Mapped Drive and Light Forwarding

Explorer

I am running into similar issue with accessing files on a UNIX server from a Windows machine where Splunk is installed. Both the servers are in the domain adn I am trying to access the UNIX location using a UNC path (samba access enabled) but with no luck. It does not throw an error but does not retrieve any files either. Any help will be appreciated

Highlighted

Re: Windows Mapped Drive and Light Forwarding

New Member

... domain (or if matching user accounts on both non-domain machines have the same password).

I wanted to add to the answer above. You can have data pulled off of a share even if one of the servers is in a domain and the other is not. I have confirmed this where my indexer is on a server in a domain but data was on a server in a work group. I have not confirmed it the other way but I believe it should work as well. Just make sure your credentials for the Splunkd service account and the user account on the share permissions are identical.

0 Karma