Module 7: Monitor Inputs

Question 1

How are files and directories monitored?

Answer 1

• One-shot indexing used for uploading a file once
• While continuously monitoring Splunk remembers the files and follows tail
• MonitorNoHandle is windows-only input on files that get locked open for writing
• Files and directories can be monitored using Splunk web, inputs.conf or CLI methods
• Monitor stanza for file/directory path
• Use of regex and wildcards
• Monitor mounted or shared directory
• Can monitor compressed files (.tar, .gz, .bz2, .tgz, .tbz, .zip, .z)

Question 2

How do you monitor windows data?

Answer 2

• Win event logs – collect locally or remotely using WMI
• Performance monitoring – performance counters in performance monitor
• Remote monitoring – wmi queries
• Registry monitoring – changes to local windows registry
• Active directory monitoring – changes to AD

Question 3

How to do monitor Windows event logs?

Answer 3

• Windows event log server handles the logging
• Event viewer is used to view events
• Splunk can monitor local and remte log channels
• Splunk must run on Windows as Local System/domain admin
• Splunk uses WMI to read remote logs

Question 4

Why are scripted inputs used and how?

Answer 4

• Data is dynamic in nature
• Data is on external/remote systems
• Need to apply transformation on data before ingesting
• Need to authenticate before accessing the data
• Scheduled or continuous monitoring of a system