Monitoring Skype Room System with Splunk – Part 1

Note: This is most likely unsupported by Microsoft. We are using Splunk to monitor the log files of Skype Room System. This is provided as a proof of concept of what can be done

Overview

In this article i will explain what information you need Splunk to index, and how to create the dashboards. This article assumes you have Splunk already configured.

Universal Forwarder

To send the data from the Skype Room System to Splunk, we utalise the Splunk Universal Forwarder application. This is a light application which is designed to send information to Splunk’s indexers for processing.

In our deployment we utalised Splunk Enterprise – and the universal forwarders are managed by a Deployment Server. For large scaled deployments this makes changes to the Universal Forwarders a trivial task. The following steps are to configure the input’s to Splunk locally – without the need for a deployment server.

Installation

  • Login to the Skype Room System, and enter the windows settings (for detailed steps check here)
  • To download the universal forwarder application browse to: https://www.splunk.com/en_us/download/universal-forwarder.html and create an account to download
  • Run the universal forwarder installation from the SRS device.
  • Accept the license agreement and tick “Use this UniversalForwarder with On-Premise Splunk”
  • Create credentials to manage the universal forwarder – we will however not need these credentials for this tutorial.
  • In deployment server fill in your server details or leave blank if not applicable
  • In receiving indexer enter the details for the Splunk Indexer which the universal forwarder will send data to.

Note: This will have configured the Splunk Universal forwarder to run as the System account.

Configuration

The next part is to configure the information we wish Splunk to forwarder to our indexer. For my dashboards i use the following sources

  • Application Event Log
  • System Event Log
  • Skype Room System Event Log
  • DesktopAPIService.txt file

To monitor these files add the following to the inputs.conf file – which is located in the Splunk Universal Forwarder installation directory (C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf)

Add add the following config file:

# SFB Windows inputs
[WinEventLog://Application]
sourcetype = WinEventLog:Application
disabled = 0

[WinEventLog://System]
sourcetype = WinEventLog:Systen
disabled = 0

[WinEventLog://Skype Room System]
sourcetype = WinEventLog:SkypeRoomSystem
disabled = 0

[monitor://C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState\Tracing\DesktopAPIService.txt]
sourcetype = DesktopAPIService
disabled = 0

Conclusion

In this part of the post we went through installing the universal forwarder on the Skype Room System. In part 2 we will look at creating the dashboards to monitor the systems.