Module 7: Monitor Inputs Flashcards
1
Q
How are files and directories monitored?
A
- One-shot indexing used for uploading a file once
- While continuously monitoring Splunk remembers the files and follows tail
- MonitorNoHandle is windows-only input on files that get locked open for writing
- Files and directories can be monitored using Splunk web, inputs.conf or CLI methods
- Monitor stanza for file/directory path
- Use of regex and wildcards
- Monitor mounted or shared directory
- Can monitor compressed files (.tar, .gz, .bz2, .tgz, .tbz, .zip, .z)
2
Q
How do you monitor windows data?
A
- Win event logs – collect locally or remotely using WMI
- Performance monitoring – performance counters in performance monitor
- Remote monitoring – wmi queries
- Registry monitoring – changes to local windows registry
- Active directory monitoring – changes to AD
3
Q
How to do monitor Windows event logs?
A
- Windows event log server handles the logging
- Event viewer is used to view events
- Splunk can monitor local and remte log channels
- Splunk must run on Windows as Local System/domain admin
- Splunk uses WMI to read remote logs
4
Q
Why are scripted inputs used and how?
A
- Data is dynamic in nature
- Data is on external/remote systems
- Need to apply transformation on data before ingesting
- Need to authenticate before accessing the data
- Scheduled or continuous monitoring of a system