I have a VoIP telephony server and I'm hesitant to place a splunk light forwarder on this server at this time (CR wont get passed). I have shared the log files so that I can mapped a windows drive and now see these files as drive Z:. I have a light forwarder set up on the box that I have now created the mapped drive on and have added the following to the $SPLUNK_HOME\etc\system\local\inputs.conf
[monitor://z:\*.log] disabled = false sourcetype = CDR_Record host = pabx
Is there something that I am missing or is it not possible to monitor log files on a mapped drive? Many Thanks
Both the user and the user running splunk are admin. Neither computer is on the domain and the logon credentials are added as part of the drive mapping. Local eventlogs and WMI information are forwarding fine. Please note disable = false should read disabled = false
Drive mappings that trigger a windows password prompt at the time that the drive is accessed will not work, but so long as the path is passively accessible by the user, it should work. Is this as simple as your log files being in a subdirectory on that drive?
Persistent drive mappings for a user are only established for interactive logon sessions, which means that the Splunk service account won't see these mappings. I was going to suggest you use UNC paths instead, but these won't work unless you have machines on the domain (or if matching user accounts on both non-domain machines have the same password). This: http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service provides some ways to deal with this.
Gkapanathy is correct. Only interactive logon sessions can access mapped drives. The best bet is to create a share on the log server and access via UNC path from the forwarder.
I am running into similar issue with accessing files on a UNIX server from a Windows machine where Splunk is installed. Both the servers are in the domain adn I am trying to access the UNIX location using a UNC path (samba access enabled) but with no luck. It does not throw an error but does not retrieve any files either. Any help will be appreciated
... domain (or if matching user accounts on both non-domain machines have the same password).
I wanted to add to the answer above. You can have data pulled off of a share even if one of the servers is in a domain and the other is not. I have confirmed this where my indexer is on a server in a domain but data was on a server in a work group. I have not confirmed it the other way but I believe it should work as well. Just make sure your credentials for the Splunkd service account and the user account on the share permissions are identical.