I have been having a difficult time finding any examples of this specific scenario. I need my Splunk Enterprise 7.0.3
instance, which is being executed by an MSA (residing on a Windows host), to continuously monitor the audit log files on a remote Linux host.
How I access the log files manually:
From Windows host, I have set up a NFS (using Open Text NFS Solo) that can access the file using either the 2 UNC paths:
1. \ remote_ip_addr\var\log\audit\audit.log
2. \ remote_ip_addr\/var/log/audit/audit.log
I also have a mapped S: to the UNC path= \ remote_ip_addr\/var/log (S:\audit\audit.log)
(Please note that I have purposely added a whitespace after "\" in the paths above because I do not have enough karma points to post links and I did not want the paths to be censored by answers.splunk. But no whitespace exists on my real system)
Attempts with Splunk Web to Add Data>upload are successful if I use any of the above 3 options.
Every attempt to continuously monitor this file has been unsuccessful resulting in one of the following:
— No data exists in the index and splunkd.log is reports the following error: WARN FilesystemChangeWatcher - error getting attributes of path "full_path_to_audit.log": The network path was not found.
—No data exists in the index but splunkd.log reports no errors/warnings.
I have also tried to add continuous monitoring in via stanza form in $SPLUNK_HOME/etc/system/local/inputs.conf
What is the proper what to have Splunk monitor this file?
@madavis1986 were you able to get a solution on this?