Hello all,
I got the problem, that Splunk is not able to index any data which is on the host system. Splunk itself is running as a guest in VirtualBox on Windows XP. I am able to add a monitoring to the host system by selecting
\\vboxsrv\documents\Logauswertungen\Logs
But Splunk won't index these files. Please see My old Thread for further information. Since the other Thread was concerning another issue, I am opining this one.
Kind regards
EDIT: Here are two screenshots showing the InputData and the Indexes:
I think it's interesting that Splunk finds some files (actually there are only 2 files and 1 folder within this directory) but won't index them.
I will use ubuntu server, this will be my answer to this issue...
good choice 🙂
Hi Katsche
again, splunkd.log is your friend - check it for errors/messages.
so many things to check ......... so little time 🙂
So this bridging seems to be missing. I got a final solution: I will use ubuntu server, Windows XP is dead to me...
your right this is done by the VM tools. but a real share on your host should do the job, if the VM is bridged with the hosts network, else it would not see the hosts share.
I think a found another problem: There is no "Documents" Share within the host system. This is all done by VirtualBox' Shared Folders and the guest additions. When I try to setup a share for everyone directly in my Managed Windows 7 Enterprise I can't see it in the guest system. Moreover the link to uwe-sieber.de describes this workaround for XP, does this even work with Win7 and XP togehter?
I did everything on http://www.uwe-sieber.de/nullsessionshare.html on the host and guest system, it still won't work.
Maybe this is a error of VirtualBox? I am still getting the permissions error.
okay this was maybe my mistake 🙂 read this: http://www.uwe-sieber.de/nullsessionshare.html and you will (I did) learn, this should be done on your host and not the VM. because you try to access the hosts share and not a share of the VM.
I edited the Registry Entry (added "Documents") and restarted Windows. I still get the Tailing Processor-Permissions-Error. What do I have to do concerning the "Named Pipes"?
-> If your application uses Named Pipes and requires null session support.
From the HKEY_LOCAL_MACHINE subtree, go to the following key:
\System
\CurrentControlSet
\Services
\LanmanServer
\Parameters
\NullSessionPipes
On a new line within the NullSessionShares key, type in the pipe you want to access with a null session.
as the share is the first value after the servername, it should be 'Documents' in your case.
I may sound stupid now, but I am sill not sure what I have to type. I got "\vboxsrv\Documents\Logauswertungen\Logs\" or "E:\Logauswertungen\Logs\" ("Documents on vboxsrv (E:)") pointing on the same folder. What do I have to type? "Documents", "vboxsrv"? I just don't get it. 😛
🙂
like it says 'type in the share you want to access' so type in the share you want to access.
🙂
I started working on your fix MuS. What do I have to enter in this step? "On a new line within the NullSessionShares key, type in the share you want to access with a null session (for example: "PUBLIC")"
here we go: Insufficient permissions!
fix the UNC windows 'bug' and your set 😉
@Ayn: I will check your link and post the results as soon as possible.
@MuS: This is what I found in the splunkd.log: "08-18-2011 09:58:58.894 +0200 WARN TailingProcessor - Insufficient permissions to read file='\VBOXSVR\Documents\Logauswertung\Logs\SystemOut\14.SystemOut.log' (hint: Incorrect function.).
08-18-2011 09:58:58.894 +0200 WARN TailingProcessor - Insufficient permissions to read file='\VBOXSVR\Documents\Logauswertung\Logs\SystemOut\15.SystemOut.log' (hint: Incorrect function.).
"
Ayn's tool tip is very handy use it.
but I still think your basic problem is that the service account is not able to access the UNC share - follow this http://support.microsoft.com/kb/124184/ to fix it. this has nothing to do with your filesystem permissions or if you are able to click in explorer and open a log file.
On a related note, this tool could come in handy: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/
It lists the state of each input along with descriptions on why some inputs aren't indexed (if any) etc. Really useful!
Except the third one, I don't get it. -> "3.You can also try by making the service as interactive by specifying SERVICE_INTERACTIVE_PROCESS in the servicetype parameter flag of your CreateService() function but this will be limited only till XP as Vista and 7 donot support this feature."
(4) I thought the permissions are granted the second the guest additions in VirtualBox are setup. I can access all of the files in Windows Explorer. No permission issues visible to me. (5) I tried all of the options given here: http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service/3821317...