Getting Data In

How to configure a universal forwarder to monitor a log file in a certain drive on a Windows machine?

sushmitha_mj
Communicator

Hi,

I have configured a Windows universal forwarder on one of my Windows server. I do not want any of the event logs or performance monitoring on this machine, so I did not select any of that while configuring the universal forwarder.

There is a log file in the c: drive of this Windows machine which I want Splunk to source for me to search. Which inputs.conf file should I edit to configure Splunk to pick the log files? and what changes should I make? This is the first time I am doing the config on a Windows machine.

Thanks

1 Solution

skoelpin
SplunkTrust
SplunkTrust

Hello @sushmitha_mj

You can go to splunk/etc/system/local and create an inputs.conf file if its not already there. You will then need to create a stanza to monitor whatever file you want. It will look like this

[default]
host = SERVERNAME

[monitor://C:\*server.log]
disabled = false
sourcetype = srvlog
index = main

You will put your remote servername for the host, put the path and file you want to monitor, define the sourcetype you want it to have an the index you want it to go to.. In the example above, it will monitor a file called *Server.log.. make sure to restart the Splunk service on the forwarder after making these changes for them to take affect

You will also need to add an outputs.conf (assuming you don't already have it) and make sure it points to the indexer

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

Hello @sushmitha_mj

You can go to splunk/etc/system/local and create an inputs.conf file if its not already there. You will then need to create a stanza to monitor whatever file you want. It will look like this

[default]
host = SERVERNAME

[monitor://C:\*server.log]
disabled = false
sourcetype = srvlog
index = main

You will put your remote servername for the host, put the path and file you want to monitor, define the sourcetype you want it to have an the index you want it to go to.. In the example above, it will monitor a file called *Server.log.. make sure to restart the Splunk service on the forwarder after making these changes for them to take affect

You will also need to add an outputs.conf (assuming you don't already have it) and make sure it points to the indexer

sushmitha_mj
Communicator

It worked... Thank you

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...