https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263537#M21461 <P>Anyone have any other ideas?</P> Mon, 30 Jan 2017 13:18:48 GMT bbazian 2017-01-30T13:18:48Z https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263532#M21456 <P>I am trying to get additional logs sent to Splunk Cloud from a Windows domain controller. I modified my inputs.conf file to add the additional logs but do not see them in the wineventlog index. Am I missing something. Here is the inputs.conf contents.</P> <P>[default]<BR /> host = DC1</P> <P>[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]<BR /> disabled = 0</P> <P>[WinEventLog://Application]<BR /> disabled = 0 <BR /> [WinEventLog://Security]<BR /> disabled = 0 <BR /> [WinEventLog://System]<BR /> disabled = 0 <BR /> [WinEventLog://DNS Server]<BR /> disabled = 0<BR /> [WinEventLog://Directory Service]<BR /> disabled = 0<BR /> [WinEventLog://File Replication Service]<BR /> disabled = 0</P> Sun, 29 Jan 2017 12:14:04 GMT https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263532#M21456 bbazian 2017-01-29T12:14:04Z https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263533#M21457 <P>Do you see any logs from this host? If you search <CODE>index=* host=XYZ</CODE> over the past 24 hours (or some other reasonable time frame) what do you get?</P> <P>Also, try adding <CODE>index = wineventlog</CODE> into each of those stanzas to force them (hopefully) to the right index.</P> Sun, 29 Jan 2017 13:22:19 GMT https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263533#M21457 Richfez 2017-01-29T13:22:19Z https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263534#M21458 <P>I do see the security, system and application logs. Not the others that I have in the inputs.conf file. Prior to the addition to the input.conf I saw those logs with the following config.</P> <P>[default]<BR /> host = DC1</P> <P>[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]<BR /> disabled = 0</P> <P>I just added the individual log entries.</P> Sun, 29 Jan 2017 13:42:51 GMT https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263534#M21458 bbazian 2017-01-29T13:42:51Z https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263535#M21459 <P>Did you bump the service after modifying <CODE>inputs.conf</CODE>?</P> Sun, 29 Jan 2017 14:49:27 GMT https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263535#M21459 skoelpin 2017-01-29T14:49:27Z https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263536#M21460 <P>Yes. I restarted the Splunk service.</P> Sun, 29 Jan 2017 16:47:25 GMT https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263536#M21460 bbazian 2017-01-29T16:47:25Z https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263537#M21461 <P>Anyone have any other ideas?</P> Mon, 30 Jan 2017 13:18:48 GMT https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263537#M21461 bbazian 2017-01-30T13:18:48Z https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263538#M21462 <P>I do see the the Directory Service log in the default index. I changed the inputs.conf file to read as below. We will see what that does.</P> <P>[default]<BR /> host = OKDC1</P> <P>[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]<BR /> index = wineventlog<BR /> disabled = 0</P> <P>[WinEventLog://Application]<BR /> index = wineventlog<BR /> disabled = 0 </P> <P>[WinEventLog://Security]<BR /> index = wineventlog<BR /> disabled = 0 </P> <P>[WinEventLog://System]<BR /> index = wineventlog<BR /> disabled = 0 </P> <P>[WinEventLog://DNS Server]<BR /> index = wineventlog<BR /> disabled = 0<BR /> index = wineventlog</P> <P>[WinEventLog://Directory Service]<BR /> index = wineventlog<BR /> disabled = 0</P> <P>[WinEventLog://File Replication Service]<BR /> index = wineventlog<BR /> disabled = 0</P> Mon, 30 Jan 2017 13:28:44 GMT https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263538#M21462 bbazian 2017-01-30T13:28:44Z https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263539#M21463 <P>I am now seeing the info for the Directory Service in the wineventlog.</P> Mon, 30 Jan 2017 13:49:14 GMT https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263539#M21463 bbazian 2017-01-30T13:49:14Z https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263540#M21464 <P>Please check the permissions on the event logs.</P> <P><A href="https://blogs.technet.microsoft.com/janelewis/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008/">https://blogs.technet.microsoft.com/janelewis/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008/</A></P> Mon, 30 Jan 2017 13:53:22 GMT https://community.splunk.com/t5/Deployment-Architecture/Forward-additional-Windows-logs/m-p/263540#M21464 jkat54 2017-01-30T13:53:22Z