inputs.conf monitor stanza for a remote Windows se...

eli9714 · ‎12-29-2017

Hello,

In the inputs.conf of a deployment app, i need to monitor multiple files on numerous remote servers.
What should be my current syntax?
Here's what i have:

[monitor:///Server Name/C:/System32/Winevt/logs/man.evtx]
disabled = false
crcSalt=
ignoreOlderThan = 7d
index = uim_index

I can't see any results in the index.
Is there something wrong with my syntax?
Also, i coudn't see any error in splunkd.log. any ideas where i could look?

Thanks

danielransell · ‎01-01-2018

You may not have permissions to monitor files on another system. If your splunk instantiation is installed with the default setup on a Windows machine, it is running with that computer’s ‘local system’ account. This account has full privileges on that system, but would have no privileges on the remote system - and therefore would be unable to monitor it.

eli9714 · ‎01-02-2018

Good to know. Thanks!

micahkemp · ‎12-29-2017

Your [monitor] stanza needs to point to a file that exists on a filesystem present on the machine running the forwarder. If every forwarder has the same file, your monitor may look like:

[monitor://C:\System32\Winevt\logs\man.evtx]
disabled = false
crcSalt=
ignoreOlderThan = 7d
index = uim_index

If each server has files in different locations, you will likely have to create multiple inputs.conf variants and deploy the valid one for each forwarder.

eli9714 · ‎01-02-2018

Sounds good, thanks a lot!

inputs.conf monitor stanza for a remote Windows server

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life