Monitoring Splunk

How can I get my Splunk Enterprise instance to monitor audit log files on a remote Linux host?

madavis1986
Explorer

I have been having a difficult time finding any examples of this specific scenario. I need my Splunk Enterprise 7.0.3
instance, which is being executed by an MSA (residing on a Windows host), to continuously monitor the audit log files on a remote Linux host.

How I access the log files manually:
From Windows host, I have set up a NFS (using Open Text NFS Solo) that can access the file using either the 2 UNC paths:
1. \ remote_ip_addr\var\log\audit\audit.log
2. \ remote_ip_addr\/var/log/audit/audit.log

I also have a mapped S: to the UNC path= \ remote_ip_addr\/var/log (S:\audit\audit.log)

(Please note that I have purposely added a whitespace after "\" in the paths above because I do not have enough karma points to post links and I did not want the paths to be censored by answers.splunk. But no whitespace exists on my real system)

Attempts with Splunk Web to Add Data>upload are successful if I use any of the above 3 options.

Every attempt to continuously monitor this file has been unsuccessful resulting in one of the following:

— No data exists in the index and splunkd.log is reports the following error: WARN FilesystemChangeWatcher - error getting attributes of path "full_path_to_audit.log": The network path was not found.

—No data exists in the index but splunkd.log reports no errors/warnings.

I have also tried to add continuous monitoring in via stanza form in $SPLUNK_HOME/etc/system/local/inputs.conf

What is the proper what to have Splunk monitor this file?

0 Karma

payal23
Path Finder

@madavis1986 were you able to get a solution on this?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...