snare Sourcetype

Hi all,

i'm running splunk 4.2.1 i need to take windows log by snare agent. When i create a data input and select souce type i can't see windows_snare_syslog choice.

help me plz

asked 03 May '11, 06:09

zagor
1●1●1
accept rate: 0%

edited 03 May '11, 09:03

southeringtonp ♦
4.9k●2●5●24

2 Answers:

oldest newest most voted

0	If the sourcetype you want doesn't appear in the dropdown list, you can select "Manual" under "Set sourcetype", and then type in `windows_snare_syslog` directly. link answered 03 May '11, 09:03 southeringtonp ♦ 4.9k●2●5●24 accept rate: 35%

the support solution go well

In SplunkWeb

Click on the "Apps" pulldown and select "Manage Apps..."
You should find an App named Legacy
Enable it - yours is probably disabled

You should have a props.conf file in SPLUNK_HOME/etc/apps/legacy/default/

You should find a stanza that looks like this...

[windows_snare_syslog] pulldown_type = true

Make sure pulldown_type is set to true

link

answered 04 May '11, 01:34

zagor
1●1●1
accept rate: 0%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

windows ×433
sourcetype ×248
snare ×8

Asked: 03 May '11, 06:09

Seen: 2,240 times

Last updated: 04 May '11, 01:34

snare Sourcetype

Follow this question

Splunk Resources

Related questions