Getting Data In

inputs.conf monitor stanza for a remote Windows server

New Member

Hello,

In the inputs.conf of a deployment app, i need to monitor multiple files on numerous remote servers.
What should be my current syntax?
Here's what i have:

[monitor:///Server Name/C:/System32/Winevt/logs/man.evtx]
disabled = false
crcSalt=
ignoreOlderThan = 7d
index = uim_index

I can't see any results in the index.
Is there something wrong with my syntax?
Also, i coudn't see any error in splunkd.log. any ideas where i could look?

Thanks

0 Karma

Path Finder

You may not have permissions to monitor files on another system. If your splunk instantiation is installed with the default setup on a Windows machine, it is running with that computer’s ‘local system’ account. This account has full privileges on that system, but would have no privileges on the remote system - and therefore would be unable to monitor it.

0 Karma

New Member

Good to know. Thanks!

0 Karma

Champion

Your [monitor] stanza needs to point to a file that exists on a filesystem present on the machine running the forwarder. If every forwarder has the same file, your monitor may look like:

[monitor://C:\System32\Winevt\logs\man.evtx]
disabled = false
crcSalt=
ignoreOlderThan = 7d
index = uim_index

If each server has files in different locations, you will likely have to create multiple inputs.conf variants and deploy the valid one for each forwarder.

New Member

Sounds good, thanks a lot!

0 Karma