Solved: How do I set up Splunk Enterprise Linux to ingest ...

Sarmbrister · ‎07-08-2015

I am new to Splunk. The main admin left a few months ago and I have taken over with little to no training. A colleague wants to ingest Windows Event Lync service logs and I have no idea how to get it to work, but he has installed the universal forwarder. Can some one help me out? I have read the documents on inputs.conf and still having issues. Need help fellow Splunkers!

Thanks in advance.

alacercogitatus · ‎07-08-2015

Aye, my friend. I've heard many a tall tale of such mutiny. If only the loyalty of the first mate was to be held with integrity! Methinks you have come to the right place. The Conf of Inputs (a heavily visited island in these here parts) does in fact contain the basics of the information you seek! First, seek ye the location of the Logs of Lync. Knowing the location of such Logs is paramount to properly mining them. Second, configure the Conf of Inputs ( inputs.conf ) to use a stanza of monitor, consult ye the docs mentioned by yourself on proper syntax. Upon correct placement of this conf (on the forwarder), restart said Agent of Splunk (forwarder on the Windows box). A sample of said configuration booty shall be listed herein, as we in the Conf of Splunk tend to do. Avast! I see the shores that contain this Lake of Data! Query forthwith ye questions!

[monitor://C:\\Windows\\System32\\SomePathtoLync]
sourcetype = lync_server

View solution in original post

alacercogitatus · ‎07-08-2015

Aye, my friend. I've heard many a tall tale of such mutiny. If only the loyalty of the first mate was to be held with integrity! Methinks you have come to the right place. The Conf of Inputs (a heavily visited island in these here parts) does in fact contain the basics of the information you seek! First, seek ye the location of the Logs of Lync. Knowing the location of such Logs is paramount to properly mining them. Second, configure the Conf of Inputs ( inputs.conf ) to use a stanza of monitor, consult ye the docs mentioned by yourself on proper syntax. Upon correct placement of this conf (on the forwarder), restart said Agent of Splunk (forwarder on the Windows box). A sample of said configuration booty shall be listed herein, as we in the Conf of Splunk tend to do. Avast! I see the shores that contain this Lake of Data! Query forthwith ye questions!

[monitor://C:\\Windows\\System32\\SomePathtoLync]
sourcetype = lync_server

Sarmbrister · ‎08-19-2015

Apologize for the late response but that is the BEST answer ever purely for the pirate lingo lol. I have visited this and everything looks like it has been configured right I think part of the issue is that the UF on the windows server is configured for port 9997 instead of 8089. Also I have training in a few weeks and will be at the splunk .conf2015 getting my admin cert so will no longer be a newbie floating in the water but captaining my own ship :D. Thanks again will let you know how everything works out.

Sarmbrister · ‎09-16-2015

Worked like a charm! Thanks again Captain.

ChrisG · ‎07-08-2015

Great answer. I think, there near the end, you meant to say "restarrrrrrrt."

How do I set up Splunk Enterprise Linux to ingest Windows logs that are not part of the universal forwarder install?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes