Solved: Where to search my monitored indexed log

SplunkUser5888 · ‎10-16-2012

Hey guys,

I have written some stuff in the inputs.conf file and the fschange stuff works but I can't find the logs that I'm trying to monitor. Am I having conflicts with fschange? What should I search to find my monitored logs?

Any help would be appreciated.

[default]
host = server2003-splu

[script://$SPLUNK_HOME\bin\scripts\splunk-perform.path]
disabled = 0

[fschange:C:\Documents and Settings\Administrator\Local Settings]
index = _audit
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

[fschange:C:\Documents and Settings\All Users]
index = _audit
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

[fschange:C:\WINDOWS\system32]
index = _audit
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

[monitor://C:\GMER_Rootkit_logs]

SplunkUser

sdaniels · ‎10-16-2012

Can you try the direct path to one of your files and see if you get anything? I assume the search time you are using is 'All time'. If the time stamp that you are picking up is recognized incorrectly it might be getting indexed as an older time therefore if you were searching in the last 24 hours or something you would not see it. I've seen stranger things happen with time stamps.

View solution in original post

tskinnerivsec · ‎10-16-2012

From the Monitor changes to your filesystem section of the Getting Data In document:

"If you have signedaudit=true , the file system change audit event will be indexed into the audit index (index=_audit). If signedaudit is not turned on, by default, the events are written to the main index unless you specify another index."

in your above config, you have signedaudit set to false.

SplunkUser5888 · ‎10-16-2012

That's for fschange which works fine, i'm having issues with monitor, i just added fschange in there to see if people thought it was an issue with directories, thanks anyway

sdaniels · ‎10-16-2012

Can you try the direct path to one of your files and see if you get anything? I assume the search time you are using is 'All time'. If the time stamp that you are picking up is recognized incorrectly it might be getting indexed as an older time therefore if you were searching in the last 24 hours or something you would not see it. I've seen stranger things happen with time stamps.

SplunkUser5888 · ‎10-16-2012

Thank you, a simple source=*.log got what I was looking for.

Thank you very much

sdaniels · ‎10-16-2012

Also, here is a link on the Wiki for troubleshooting. You may see something here that you haven't thought of as well.

http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

sdaniels · ‎10-16-2012

You would need the part not with 'OR' to be in brackets. Make it simpler, the monitor will put the logs in the 'main' index so no need to include that. Just search on source="*.log" and see if you get anything over "All time" for the log files you are looking for.

SplunkUser5888 · ‎10-16-2012

Well i think the fact that my splunk server isn't set up well for time won't help that.

nothing found when I search

host=server2003-splu C:\GMER_Rootkit_logs\123.log
or
host=server2003-splu C:\GMER_Rootkit_logs
or
host=server2003-splu index=_audit C:\GMER_Rootkit_logs\123.log
or
host=server2003-splu index=main C:\GMER_Rootkit_logs\123.log

on All Time

Where to search my monitored indexed log

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk