MonitorWare
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
MonitorWare
For IIS or Exchange message tracking logs that can't be read through Snare or Samba, you can set up MonitorWare and Splunk to index and search your Windows logs in about 15 minutes. If you only need to index NT event logs, Snare is more expedient. You do not need MonitorWare if you can use Samba mounts, nor do you need it to send log4j data.
Video Demo
Splunk Ninja Episode 001 shows a complete, live Monitorware / Splunk integration in less than five minutes.
Installation
- Download and install the MonitorWare Agent from Adiscon onto your Windows server.
- Start MonitorWare Agent. It will enter the MonitorWare Configuration Wizard.
- Hit Cancel to exit the wizard. The MonitorWare Agent Configuration Client will pop up in its place.
Add a RuleSet
- Right-click on RuleSets to bring up the RuleSets menu.
- Choose Add RuleSet. The RuleSet Wizard will appear and will automatically create a new ruleset named RuleSet 1, which you can rename.
- Click Next to edit the ruleset's rules.
- In the middle section of the list, check Forward Syslog.
- Click Finish.
TCP or UDP?
- You should now see a RuleSet drop-down menu. Select the Actions drop-down menu and choose Forward Syslog.
- You should see options for Syslog Server, Syslog Port, and Protocol Type. Choose one of the two options below.
- To send the file's events to Splunk via UDP, enter the Splunk host's IP address, listening port (default 514) and protocol UDP. Configure your Splunk server to add UDP port 514 as a data input.
- To send events to Splunk via TCP, enter the Splunk host's IP address, TCP listening port (default 9998) and protocol TCP. Configure your Splunk server to add TCP port 514 9998 as a data input.
Add Service
- Right-click on Configured Services to bring up the Services menu.
- Select Add Service. This will bring up a menu of services.
- Click File Monitor. This will start the MonitorWare Services Wizard. It will automatically create a new service called File Monitor 1, which you can rename.
- Click Finish. This will bring up the configuration options for the service.
- Click Browse... to find and select the file you want to tail and send to Splunk.
- Select the RuleSet to Use at the bottom of the page. RuleSet 1 will be your only drop-down option.
- Click the large Save button at the top of the wizard to ensure your ruleset is applied.
- MonitorWare Agent is now configured. Click the Play ( > ) button near the top of its window.
When you click Play, MonitorWare Agent should begin forwarding your data to the remote syslog or Splunk server you've configured.
External Links
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.