Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputs.conf monitor stanza for a remote Windows server

eli9714
New Member
‎12-29-2017 09:06 AM

Hello,

In the inputs.conf of a deployment app, i need to monitor multiple files on numerous remote servers.
What should be my current syntax?
Here's what i have:

[monitor:///Server Name/C:/System32/Winevt/logs/man.evtx]
disabled = false
crcSalt=
ignoreOlderThan = 7d
index = uim_index

I can't see any results in the index.
Is there something wrong with my syntax?
Also, i coudn't see any error in splunkd.log. any ideas where i could look?

Thanks

0 Karma
Reply

danielransell
Path Finder
‎01-01-2018 06:22 PM

You may not have permissions to monitor files on another system. If your splunk instantiation is installed with the default setup on a Windows machine, it is running with that computer’s ‘local system’ account. This account has full privileges on that system, but would have no privileges on the remote system - and therefore would be unable to monitor it.

0 Karma
Reply

eli9714
New Member
‎01-02-2018 06:26 AM

Good to know. Thanks!

0 Karma
Reply

micahkemp
Champion
‎12-29-2017 06:09 PM

Your [monitor] stanza needs to point to a file that exists on a filesystem present on the machine running the forwarder. If every forwarder has the same file, your monitor may look like:

[monitor://C:\System32\Winevt\logs\man.evtx]
disabled = false
crcSalt=
ignoreOlderThan = 7d
index = uim_index

If each server has files in different locations, you will likely have to create multiple inputs.conf variants and deploy the valid one for each forwarder.

Reply

eli9714
New Member
‎01-02-2018 06:25 AM

Sounds good, thanks a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...