In the inputs.conf of a deployment app, i need to monitor multiple files on numerous remote servers.
What should be my current syntax?
Here's what i have:
disabled = false
ignoreOlderThan = 7d
index = uim_index
I can't see any results in the index.
Is there something wrong with my syntax?
Also, i coudn't see any error in splunkd.log. any ideas where i could look?
You may not have permissions to monitor files on another system. If your splunk instantiation is installed with the default setup on a Windows machine, it is running with that computer’s ‘local system’ account. This account has full privileges on that system, but would have no privileges on the remote system - and therefore would be unable to monitor it.
[monitor] stanza needs to point to a file that exists on a filesystem present on the machine running the forwarder. If every forwarder has the same file, your
monitor may look like:
[monitor://C:\System32\Winevt\logs\man.evtx] disabled = false crcSalt= ignoreOlderThan = 7d index = uim_index
If each server has files in different locations, you will likely have to create multiple inputs.conf variants and deploy the valid one for each forwarder.