I’ve created a simple deployment app for windows systems to filter unwanted logs from windows event logs. There are 4 files that is being pulled by deployment client to “winev/default” under app folder. All of the configuration files (props, transforms, output) are being executed except “input.conf”.
[default]
[WinEventLog:Application] disabled = 0 [WinEventLog:Security] disabled = 0 start_from = oldest [WinEventLog:System]
02-25-2011 12:51:03.159 INFO WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found.. 02-25-2011 12:51:03.159 INFO loader - Instantiated plugin: queueoutputprocessor
02-25-2011 12:53:11.207 INFO WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found.. 02-25-2011 12:53:11.222 INFO WinEventLogChannel - Initialized Windows Event Log='Application' Success; oldest_rec_id='866'; newest_rec_id='2101'; total_rec='1236' 02-25-2011 12:53:11.222 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Application' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Application': total_events='0' with empty_msg='0'. 02-25-2011 12:53:11.238 INFO WinEventLogChannel - init: Binding to DC to translate guids/sids for channel='Security' 02-25-2011 12:53:11.238 INFO WinEventLogChannel - Initialized Windows Event Log='Security' Success; oldest_rec_id='1'; newest_rec_id='289'; total_rec='289' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Security' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Security': total_events='0' with empty_msg='0'. 02-25-2011 12:53:11.238 INFO WinEventLogChannel - Initialized Windows Event Log='System' Success; oldest_rec_id='4959'; newest_rec_id='7389'; total_rec='2431' 02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'System' 02-25-2011 12:53:11.285 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'System': total_events='10' with empty_msg='0'.
I even checked that Splunk is parsing my config files in deployment app by removing ‘#’ from my comments and double checking the splunkd.log. I would appreciate it if you could help me with this one
I dont suppose the client is Windows 2000, is it? Windows 2000 isn't currently supported for collecting WMI or Event Logs.
The client is windows XP SP3.
If you're writing the filename you're using correctly, the issue is due to a typo in the filename: the file should be called "inputs.conf" instead of "input.conf".
If the windows app has these outputs disabled these properties will override your properties since "windows" is evaluated before "winev".
Sorry, I mistype those file names.
I found something interesting if i remove "windows" from application everything will just work fine is it possible that "windows" and my app are conflicting some how?