I’ve created a simple deployment app for windows systems to filter unwanted logs from windows event logs.
There are 4 files that is being pulled by deployment client to “winev/default” under app folder.
All of the configuration files (props, transforms, output) are being executed except “input.conf”.
system/local/input.conf
[default]
host = TESTSERVER01
app/winev/default/input.conf
[WinEventLog:Application]
disabled = 0
[WinEventLog:Security]
disabled = 0
start_from = oldest
[WinEventLog:System]
disabled = 0
The only related logs in splunkd.log are:
02-25-2011 12:51:03.159 INFO WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found..
02-25-2011 12:51:03.159 INFO loader - Instantiated plugin: queueoutputprocessor
02-25-2011 12:51:03.159 INFO WinEventLogInputProcessor - main-thread: Starting to monitor Windows Event Log channels for events
As soon as i move these stanzas to input.conf in local folder I’ll get can see logs is being forwarded (with successful filtering based on “winev” app):
02-25-2011 12:53:11.207 INFO WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found..
02-25-2011 12:53:11.222 INFO WinEventLogChannel - Initialized Windows Event Log='Application' Success; oldest_rec_id='866'; newest_rec_id='2101'; total_rec='1236'
02-25-2011 12:53:11.222 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Application'
02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Application': total_events='0' with empty_msg='0'.
02-25-2011 12:53:11.238 INFO WinEventLogChannel - init: Binding to DC to translate guids/sids for channel='Security'
02-25-2011 12:53:11.238 INFO WinEventLogChannel - Initialized Windows Event Log='Security' Success; oldest_rec_id='1'; newest_rec_id='289'; total_rec='289'
02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Security'
02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Security': total_events='0' with empty_msg='0'.
02-25-2011 12:53:11.238 INFO WinEventLogChannel - Initialized Windows Event Log='System' Success; oldest_rec_id='4959'; newest_rec_id='7389'; total_rec='2431'
02-25-2011 12:53:11.238 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'System'
02-25-2011 12:53:11.285 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'System': total_events='10' with empty_msg='0'.
02-25-2011 12:53:11.285 INFO WinEventLogInputProcessor - main-thread: Starting to monitor Windows Event Log channels for events
I even checked that Splunk is parsing my config files in deployment app by removing ‘#’ from my comments and double checking the splunkd.log.
I would appreciate it if you could help me with this one
... View more