|
What should I attach to my install script if I want to start monitoring the event log in "tail" mode. I don't want to grab any historical events on the first time the LWF runs on the client machines. I have this as an install script: msiexec.exe /i %SPLUNK_MSI% LAUNCHSPLUNK=0 WMICHECK_CPUTIME=0 WMICHECK_LOCALDISK=0 WMICHECK_FREEDISK=0 WMICHECK_MEMORY=0 WINEVENTLOGAPPCHECK=0 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=0 /QUIET This will successfully enable the Security event log on windows, but will capture the historical events. |
|
You should use configuration files immediately after running the installer to set this up. See either: http://answers.splunk.com/questions/434/can-i-auto-install-or-deploy-splunk-onto-all-my-remote-windows-servers/437#437 or http://www.splunk.com/wiki/Deploy:SplunkForwarder_for_Windows_installscript for an example of a script that installs and lays down any desired configuration on top. This works, however, when the service starts for the first time, it overrides the files I've placed...i.e. I created an inputs.conf that has certain attributes, after the splunk service starts, it replaced my custom inputs.conf, it did not append it as I expected.
(23 Mar '10, 16:01)
BunnyHop
where did you put your custom file? etc/system/local would be the wrong place.
(24 Mar '10, 14:32)
gkanapathy ♦
Yes that's where i put my file. Where would be the better spot?
(26 Mar '10, 17:07)
BunnyHop
etc/apps/search/local
(27 Mar '10, 16:56)
gkanapathy ♦
|
|
I don't think the requisite flag, current_only, is exposed in the WMI interface. You will need to do one of:
Is there a way to append the inputs.conf? I can possibly disable all inputs from the install and then have another line in the script to copy the /etc/ files. I don't to override the inputs.conf file that splunk creates during installation, since that contains the hostname of the client. I'm using the free splunk so I can't utilize the deployment server/client environment.
(16 Mar '10, 01:01)
BunnyHop
|
