Getting Data In

How do we index NetApp .evt files on a UNIX box?

I_am_Jeff
Communicator

We have several NetApps that require log retention. Getting log events to Splunk appears to be an odd configuration. Odd being defined as we haven't done it before.

  • The NetApp admin cannot install additional software
  • The BSD-style syslog events generated by the NetApp do not have the information we wish to retain.
  • The files required end in the .evt extension. I don't have the expertise to state they are MS Windows event logs, but they sure look like it.
    • The Solaris Splunk box says these are data files.
    • adtlog.20110809154604.evt: data
  • The files are NFS mounted on our Solaris Splunk system.
  • We do not understand how to use trans.py from the Windows app. Splunk for Windows

More environment information.

  • Splunk is 4.1.5.
  • Splunk currently running on a Solaris 10 zone.
  • The NetApp .evt files are mounted using the NFS automounter, configured in /etc/auto/auto_netapp.
    • The file system is mounted as needed.
    • /opt/ext/netapp01 -ro netapp01:/vol/vol0/etc/log
  • Three different teams, at two different location are involved. Me (your friendly, neighborhood Splunk application admin), the UNIX admin team, the NetApp team. We have not engaged the Windows team at this point.

It may just be we don't know how to use the Windows app correctly. Seems like we have another option as well, mounting the files on a Windows system and having a Universal Forwarder connect to port 9997 on the Splunk system. We have done this successfully on other MS Windows systems.

We want to retain host information. (If these were normal syslog/text files, we could use the directory for the hostname.)

So, what exactly do we need to do to get these files in our Splunk index? We're especially unfamiliar with the Windows App and trans.py.

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

The files are Windows Event Log binary export files (well in the same format). If you install a Splunk forwarder on Windows (Universal Forwarder or Light), and set it up to forward to your indexer(s), you can simply read/input the .evt files on the forwarder. It will convert them and forward them to your Solaris Splunk instance. The Windows Splunk forwarders have code to recognize and convert the files readably automatically (I think based on the file name extension) and should also have the ability to extract the host from one of the fields (ComputerName I think) in the file.

You can copy/FTP the .evt files to a monitored or batch directory on the forwarder, or mount and monitor another directory where they are written.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

The files are Windows Event Log binary export files (well in the same format). If you install a Splunk forwarder on Windows (Universal Forwarder or Light), and set it up to forward to your indexer(s), you can simply read/input the .evt files on the forwarder. It will convert them and forward them to your Solaris Splunk instance. The Windows Splunk forwarders have code to recognize and convert the files readably automatically (I think based on the file name extension) and should also have the ability to extract the host from one of the fields (ComputerName I think) in the file.

You can copy/FTP the .evt files to a monitored or batch directory on the forwarder, or mount and monitor another directory where they are written.

I_am_Jeff
Communicator

We ended up mounting on a Windows host and forwarding that way.

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...