Hello all, I think I need help on this one.... We have a standalone windows system which is our indexer, management and deployment server. In the field, we have several flavors of devices running...
See more...
Hello all, I think I need help on this one.... We have a standalone windows system which is our indexer, management and deployment server. In the field, we have several flavors of devices running universal forwarders, i.e. Windows, Linux, Solaris, etc. I am working on a directory monitor which will allow me to see what files are in a directory and report is one is missing or the like. To test this, I created a scripted input to gather the contents of the directory and forward it to the indexer. inputs.conf
###### Scripted Input to monitor directory files
[script://./bin/dircontents.sh]
disabled = 0
interval = 60
sourcetype = Script:dircontents.sh
index = filewatch props.conf
[Script:dircontents.sh]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
MAX_EVENTS = 10000
TRUNCATE = 0
DATETIME_CONFIG = CURRENT dircontents.sh
cd /u01/DeticaHome/UI/data/acquisition/waiting
ls | sort With those config files, I deploy the app without issue, but when the script runs I get the following; index=_internal
07-23-2020 09:30:47.841 -0500 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/_server_app_Detica-File-Processing-Mon/bin/dircontents.sh" /bin/sh: /opt/splunkforwarder/etc/apps/_server_app_Detica-File-Processing-Mon/bin/dircontents.sh: cannot execute It appears the permissions of the script are not correct. I checked and the deploy script, dircontents.sh, permissions are 655 at deployment. I changed the permissions to 755 manually and the script took off and started working, but this was a manual intervention which is not optimal. The Universal forwarder was installed and running as root. To get this right, I need 755 permissions of the script fo the scripted input. What have I missed? Any insight would be great at this point. Thanks in advance, Rcp