What should I attach to my install script if I want to start monitoring the event log in "tail" mode. I don't want to grab any historical events on the first time the LWF runs on the client machines.
I have this as an install script:
msiexec.exe /i %SPLUNK_MSI% LAUNCHSPLUNK=0 WMICHECK_CPUTIME=0 WMICHECK_LOCALDISK=0 WMICHECK_FREEDISK=0 WMICHECK_MEMORY=0 WINEVENTLOGAPPCHECK=0 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=0 /QUIET
This will successfully enable the Security event log on windows, but will capture the historical events.
I don't think the requisite flag, current_only, is exposed in the WMI interface. You will need to do one of:
Is there a way to append the inputs.conf? I can possibly disable all inputs from the install and then have another line in the script to copy the /etc/ files. I don't to override the inputs.conf file that splunk creates during installation, since that contains the hostname of the client.
I'm using the free splunk so I can't utilize the deployment server/client environment.
You should use configuration files immediately after running the installer to set this up. See either: http://answers.splunk.com/questions/434/can-i-auto-install-or-deploy-splunk-onto-all-my-remote-windo... or http://www.splunk.com/wiki/Deploy:SplunkForwarder_for_Windows_installscript for an example of a script that installs and lays down any desired configuration on top.
This works, however, when the service starts for the first time, it overrides the files I've placed...i.e. I created an inputs.conf that has certain attributes, after the splunk service starts, it replaced my custom inputs.conf, it did not append it as I expected.