Installation
Highlighted

start tail monitoring windows event log upon Splunk install

Contributor

What should I attach to my install script if I want to start monitoring the event log in "tail" mode. I don't want to grab any historical events on the first time the LWF runs on the client machines.

I have this as an install script:

msiexec.exe /i %SPLUNK_MSI% LAUNCHSPLUNK=0 WMICHECK_CPUTIME=0 WMICHECK_LOCALDISK=0 WMICHECK_FREEDISK=0 WMICHECK_MEMORY=0 WINEVENTLOGAPPCHECK=0 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=0 /QUIET

This will successfully enable the Security event log on windows, but will capture the historical events.

Highlighted

Re: start tail monitoring windows event log upon Splunk install

Champion

I don't think the requisite flag, current_only, is exposed in the WMI interface. You will need to do one of:

  • Manually (possibly by script) tweak the inputs.conf post-install, but this will not prevent splunk from starting to pull the eventlog when it's first started. Since you are setting LAUNCHSPLUNK=0, this should be achivable before the first start.
  • Alternatively, leave all the inputs disabled, but configure your hosts as deployment clients. Then you can deliver an inputs.conf tailored to your needs via that method. Unfortunately deployment client configuration isn't triggerable via the MSI commandline.
Highlighted

Re: start tail monitoring windows event log upon Splunk install

Contributor

Is there a way to append the inputs.conf? I can possibly disable all inputs from the install and then have another line in the script to copy the /etc/ files. I don't to override the inputs.conf file that splunk creates during installation, since that contains the hostname of the client.

I'm using the free splunk so I can't utilize the deployment server/client environment.

0 Karma
Highlighted

Re: start tail monitoring windows event log upon Splunk install

Legend

You should use configuration files immediately after running the installer to set this up. See either: http://answers.splunk.com/questions/434/can-i-auto-install-or-deploy-splunk-onto-all-my-remote-windo... or http://www.splunk.com/wiki/Deploy:SplunkForwarder_for_Windows_installscript for an example of a script that installs and lays down any desired configuration on top.

View solution in original post

Highlighted

Re: start tail monitoring windows event log upon Splunk install

Contributor

This works, however, when the service starts for the first time, it overrides the files I've placed...i.e. I created an inputs.conf that has certain attributes, after the splunk service starts, it replaced my custom inputs.conf, it did not append it as I expected.

0 Karma
Highlighted

Re: start tail monitoring windows event log upon Splunk install

Legend

where did you put your custom file? etc/system/local would be the wrong place.

0 Karma
Highlighted

Re: start tail monitoring windows event log upon Splunk install

Contributor

Yes that's where i put my file. Where would be the better spot?

0 Karma
Highlighted

Re: start tail monitoring windows event log upon Splunk install

Legend

etc/apps/search/local

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.