Solved: inputs.conf not being processed- Windows

peterfilardo · ‎10-08-2013

I would like to have all Windows servers send all their event logs to my "windows" index, except for the domain controllers. For those, I want just the Security event log to go to the "AD" index. The forwarders are being controlled via a deployment server. I have two inputs.conf files in their own \apps\ directories, but only 1 is being used and even appearing in the "splunk cmd btool inputs list --debug" output.

C:\Program Files\SplunkUniversalForwarder\etc\apps\ad\local\inputs.conf

###### Active Directory "Security" event log ######
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
index = ad
start_from = oldest

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
index = windows
start_from = oldest

Currently all DC events are being sent to the "windows" index. Hurmph. I'm pretty sure this is set up correctly, as \ad\ comes before \Splunk_TA_windows\ alphabetically. This behavior is identical across 4 different DCs. I cant seem to find any documentation about conf files being ignored totally and completely. Stumped.

Any ideas?

lukejadamec · ‎10-08-2013

This is a precedence problem, and a not-best-practice issue.

Uppercase S takes App precedence over lowercase a. See:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Kristian is right about different serverclasses because it is does not seem right to have conflicting enabled source inputs.

View solution in original post

lukejadamec · ‎10-08-2013

This is a precedence problem, and a not-best-practice issue.

Uppercase S takes App precedence over lowercase a. See:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Kristian is right about different serverclasses because it is does not seem right to have conflicting enabled source inputs.

peterfilardo · ‎10-08-2013

uppercase before lower, UGH. totally should have caught that. works now, thanks!

kristian_kolb · ‎10-08-2013

aah, of course. Uppercase comes before lowercase....

kristian_kolb · ‎10-08-2013

Though I have not played a lot with configuration file precedence, i.e. knowingly distributed apps with conflicting configs, it seems that you are right in your assumptions. Is the 'ad' app enabled?
See the app.conf for that app.

Other solutions/workarounds;

Why not create a separate serverclass for the DC's and create two different apps, where the value for the destination index is the major difference.?

Or you can set up a index-time TRANSFORM to rewrite the destination index for the events coming from the DC's.

/K

kristian_kolb · ‎10-08-2013

Well, I was just guessing as to why the config did not list. Anyway, I would still suggest that you deploy one app for the DC's and another app for the other Windows hosts.

Neat and simple, with little room for confusion.

/K

peterfilardo · ‎10-08-2013

the AD app is one of my own creation, the contents of which are local\inputs.conf. Is there a line I need to add to enable it? I'd have thought that app would be put in disabled-apps. I've created and distributed apps for other inputs.conf files and did not explictly enable them in the files, only within the "Forwarder Management" page of the deployment server.

inputs.conf not being processed- Windows

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms