Module 7: Monitor Inputs Flashcards

1
Q

How are files and directories monitored?

A
  • One-shot indexing used for uploading a file once
  • While continuously monitoring Splunk remembers the files and follows tail
  • MonitorNoHandle is windows-only input on files that get locked open for writing
  • Files and directories can be monitored using Splunk web, inputs.conf or CLI methods
  • Monitor stanza for file/directory path
  • Use of regex and wildcards
  • Monitor mounted or shared directory
  • Can monitor compressed files (.tar, .gz, .bz2, .tgz, .tbz, .zip, .z)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How do you monitor windows data?

A
  • Win event logs – collect locally or remotely using WMI
  • Performance monitoring – performance counters in performance monitor
  • Remote monitoring – wmi queries
  • Registry monitoring – changes to local windows registry
  • Active directory monitoring – changes to AD
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How to do monitor Windows event logs?

A
  • Windows event log server handles the logging
  • Event viewer is used to view events
  • Splunk can monitor local and remte log channels
  • Splunk must run on Windows as Local System/domain admin
  • Splunk uses WMI to read remote logs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why are scripted inputs used and how?

A
  • Data is dynamic in nature
  • Data is on external/remote systems
  • Need to apply transformation on data before ingesting
  • Need to authenticate before accessing the data
  • Scheduled or continuous monitoring of a system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly