Splunk server : Windows XP SP3. Remote servers : Windos XP SP2
I am not permitted to install ANY software on the remote targets such as Splunk forwarders, ssh, ftp etc. Nor can we access the servers via WMI/DCOM. UNC paths is all we are allowed.
The remote files are on different UNC paths (different servers). The remote server files are only accessible with the use several username/passwords. These users don't exist on the Splunk server (different windows domain). I can use NET USE to connect manually providing the user/password on each NET USE command.
I am wondering can I somehow have the set of NET USE commands run before Splunkd starts. This would have to be part of the service environment so that Splunk can access the files.
As alternative I assume I could use scripted input, but that seems to be a waste of network bandwidth if I have to regularly copy the entire file from the remote to the local server.
Is there a way to monitor these remote files via UNC with user/pass?
Unfortunately mounted volumes (with NET USE) are only available to the interactive session, as such the Splunk service will not be able to use it.
You have a few options available to you:
Out of the options available I believe number 4 would be the most elegant and fault tolerant. Number 2 would probably be pretty hard to implement due to security policies and politics, but would be a very solid solution. Number 3 is kind of a crappy hack, and will probably lead to other problems (such as not being able to monitor UNCs in the indexer's domain unless you create the same local accounts there, and you are likely not allowed to create accounts in the first place). Number 1 appears to be the fall back if everything else fails.
I hope this will help you solve your problem. Let me know if you need additional info or some clarification.