Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputs.conf monitor stanza for a remote Windows server

eli9714
New Member
‎12-29-2017 09:06 AM

Hello,

In the inputs.conf of a deployment app, i need to monitor multiple files on numerous remote servers.
What should be my current syntax?
Here's what i have:

[monitor:///Server Name/C:/System32/Winevt/logs/man.evtx]
disabled = false
crcSalt=
ignoreOlderThan = 7d
index = uim_index

I can't see any results in the index.
Is there something wrong with my syntax?
Also, i coudn't see any error in splunkd.log. any ideas where i could look?

Thanks

0 Karma
Reply

danielransell
Path Finder
‎01-01-2018 06:22 PM

You may not have permissions to monitor files on another system. If your splunk instantiation is installed with the default setup on a Windows machine, it is running with that computer’s ‘local system’ account. This account has full privileges on that system, but would have no privileges on the remote system - and therefore would be unable to monitor it.

0 Karma
Reply

eli9714
New Member
‎01-02-2018 06:26 AM

Good to know. Thanks!

0 Karma
Reply

micahkemp
Champion
‎12-29-2017 06:09 PM

Your [monitor] stanza needs to point to a file that exists on a filesystem present on the machine running the forwarder. If every forwarder has the same file, your monitor may look like:

[monitor://C:\System32\Winevt\logs\man.evtx]
disabled = false
crcSalt=
ignoreOlderThan = 7d
index = uim_index

If each server has files in different locations, you will likely have to create multiple inputs.conf variants and deploy the valid one for each forwarder.

Reply

eli9714
New Member
‎01-02-2018 06:25 AM

Sounds good, thanks a lot!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...