Hello,
In the inputs.conf of a deployment app, i need to monitor multiple files on numerous remote servers.
What should be my current syntax?
Here's what i have:
[monitor:///Server Name/C:/System32/Winevt/logs/man.evtx]
disabled = false
crcSalt=
ignoreOlderThan = 7d
index = uim_index
I can't see any results in the index.
Is there something wrong with my syntax?
Also, i coudn't see any error in splunkd.log. any ideas where i could look?
Thanks
You may not have permissions to monitor files on another system. If your splunk instantiation is installed with the default setup on a Windows machine, it is running with that computer’s ‘local system’ account. This account has full privileges on that system, but would have no privileges on the remote system - and therefore would be unable to monitor it.
Good to know. Thanks!
Your [monitor]
stanza needs to point to a file that exists on a filesystem present on the machine running the forwarder. If every forwarder has the same file, your monitor
may look like:
[monitor://C:\System32\Winevt\logs\man.evtx]
disabled = false
crcSalt=
ignoreOlderThan = 7d
index = uim_index
If each server has files in different locations, you will likely have to create multiple inputs.conf variants and deploy the valid one for each forwarder.
Sounds good, thanks a lot!