Getting Data In

Universal Forwarder install- can't browse log file location

Bill_B
Communicator

I'm trying to install "splunkforwarder-6.0-182611-x64-release" on a Windows 2008 R2 server. While going through the install wizard, after selecting "Local Data Only", and then in the next window under, "Path to monitor", I am unable to browse to the folder that the file is in.
The path is: C:_Windows_System32_winevt_Logs

From the install wizard I get to: C:_Windows_System32, but the "winevt" folder is not displayed.

I have tried making all folders visible through the "folder options" menu with no luck.

If I manually enter the path I receive this error:
"Windows can't find 'C:_Windows_System32_winevt_Logs'. Check spelling and try again."

I can reach the folder with normal Windows Explorer.

I checked with my Windows guy and he had no ideas. Any Windows gurus out there that know what's going on?

Thank you.

0 Karma

lukejadamec
Super Champion

Actually, you can but it is not obvious. The window used to show the list of files in that folder is too small, so it only shows files and folders that start with a, then b, then c, etc... until the window is full instead of show the folders at the top followed by the files, which is what you expect.

Scroll down to the bottom of the list in the system32 folder and there should be a "show more" option. Keep doing that until you get to the winevent folder, and then you'll be able to access it.

It is either that, or the there is permission problem.

0 Karma

lukejadamec
Super Champion

Permission problem then. Glad you got it working.

0 Karma

Bill_B
Communicator

I was able to get around this problem by:
- Running the installer from the an elevated command line.
- And, adding the flag "MONITOR_PATH=
This automatically populated the path option thereby eliminating the need to browse to it.
Eg: Right click on command line icon and select "Run as administrator".
Enter, "msiexec.exe /i MONITOR_PATH=""

linu1988
Champion

Did you try with run as administrator?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...