Monitoring Splunk

windows logs monitoring

splkadmin
Explorer

HI 

I have installed the windows forward log on my windows machine with the default installation and I am receiving the event, system logs to the default main index

 I have to add a logs directory eg D:/App/system/logs to my Splunk, 

I have added through CLI using ./splunk add monitor D:/App/system/logs and restarted the service but unfortunately, still I am not receiving the logs to my Splunk index.

can you please your support to provide the details to add the log directory to the Splunk

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @splkadmin,

If you need to index windows logs, at first, I hint to use the Splunk Windows TA (https://splunkbase.splunk.com/app/742/) where you can already find all the scripts and monitor stanzas to index all windows logs.

You have only to enable the stanzas you need.

Than I hint to not put the logs in the main index, but to send them to specific indexes (e.g. wineventlog, perfmon, msad, etc...) so you can manage accesses and retention for each one.

At least to monitor files in a folder, you can take one of the stanzas and copy it modifYing only the first row, otherwise follow the procedure at https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories

In few words:

if you alread have a Technical Add-on (e.g. Windows_TA) you can put the following stanza in the $SPLUNK_HOME\etc\apps\your_app\local\inputs.conf, otherwise you can create your own TA and put in inputs.conf:

[monitor://D:\App\system\logs\*.log]
disable = 0
index = your_index
Sourcetype = your_sourcetype

Here you  can find a useful video:

https://www.splunk.com/en_us/training/videos/getting-data-in-to-splunk-enterprise-windows.html

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splkadmin,

If you need to index windows logs, at first, I hint to use the Splunk Windows TA (https://splunkbase.splunk.com/app/742/) where you can already find all the scripts and monitor stanzas to index all windows logs.

You have only to enable the stanzas you need.

Than I hint to not put the logs in the main index, but to send them to specific indexes (e.g. wineventlog, perfmon, msad, etc...) so you can manage accesses and retention for each one.

At least to monitor files in a folder, you can take one of the stanzas and copy it modifYing only the first row, otherwise follow the procedure at https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories

In few words:

if you alread have a Technical Add-on (e.g. Windows_TA) you can put the following stanza in the $SPLUNK_HOME\etc\apps\your_app\local\inputs.conf, otherwise you can create your own TA and put in inputs.conf:

[monitor://D:\App\system\logs\*.log]
disable = 0
index = your_index
Sourcetype = your_sourcetype

Here you  can find a useful video:

https://www.splunk.com/en_us/training/videos/getting-data-in-to-splunk-enterprise-windows.html

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splkadmin,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma