https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/565976#M100656 <P>I have been unable to get the universal forwarders to correctly collect the SMB Server audit logs. The inputs.conf file on the deployment server has the following stanza configured but there are no logs flowing in. The other events in the inputs file work without any issues.&nbsp;</P><P><BR />## Application and Services Logs - SMB Server Audit Log<BR />[WinEventLog://Microsoft-Windows-SMBServer/Audit]<BR />index = wineventlog<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0</P><P>Thanks&nbsp;</P><P>&nbsp;</P> Mon, 06 Sep 2021 07:00:42 GMT CJHindmarsh 2021-09-06T07:00:42Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/565976#M100656 <P>I have been unable to get the universal forwarders to correctly collect the SMB Server audit logs. The inputs.conf file on the deployment server has the following stanza configured but there are no logs flowing in. The other events in the inputs file work without any issues.&nbsp;</P><P><BR />## Application and Services Logs - SMB Server Audit Log<BR />[WinEventLog://Microsoft-Windows-SMBServer/Audit]<BR />index = wineventlog<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0</P><P>Thanks&nbsp;</P><P>&nbsp;</P> Mon, 06 Sep 2021 07:00:42 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/565976#M100656 CJHindmarsh 2021-09-06T07:00:42Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/573223#M101397 <P>Hey, were you able to get this working?</P> Mon, 01 Nov 2021 18:59:52 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/573223#M101397 km1986 2021-11-01T18:59:52Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/575116#M101653 <P>Is that the correct path of where those logs are actually located? Also, you are going to want to make sure that Splunk is able to capture from that location. Might want to check permissions on the windows event log configuration.</P> Tue, 16 Nov 2021 19:09:38 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/575116#M101653 adobrzeniecki 2021-11-16T19:09:38Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/575158#M101661 <P>Yep, the above stanza is correct. I was just impatient I think. The next morning I had pretty much all the logs available to search.</P> Tue, 16 Nov 2021 22:16:48 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/575158#M101661 CJHindmarsh 2021-11-16T22:16:48Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/575419#M101717 <P>Was splunkd running as SYSTEM or as a domain account? I tried both, restarted Splunk services and the DS, but while other Event IDs are coming as expected the Event ID 3000 (SMBServer Audit) logs are not coming in. Now that it is certain the path is correct, I'm thinking if it something related to permissions.</P> Thu, 18 Nov 2021 10:47:43 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/575419#M101717 km1986 2021-11-18T10:47:43Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/576064#M101804 <P>What sourcetype did your data come in with? Did you have to create the sourcetype?</P> Tue, 23 Nov 2021 17:32:38 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/576064#M101804 adobrzeniecki 2021-11-23T17:32:38Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/576083#M101806 <P>I was able to fix it. It was permissions on Windows Event Logs. Used <A href="https://support.umbrella.com/hc/en-us/articles/115004063808-Using-wevtutil-to-check-Event-Log-permissions" target="_blank">https://support.umbrella.com/hc/en-us/articles/115004063808-Using-wevtutil-to-check-Event-Log-permissions</A>&nbsp;as reference to correct the channel access string for&nbsp;Microsoft-Windows-SMBServer/Audit. Thanks for the suggestion.</P> Tue, 23 Nov 2021 20:47:10 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/576083#M101806 km1986 2021-11-23T20:47:10Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/576108#M101808 <P>I was at the time utilizing the Splunk add on for Windows. It came with some predefined sourcetypes for Win Event logs.</P> Tue, 23 Nov 2021 23:35:18 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-Collect-SMBServer-Audit-logs/m-p/576108#M101808 CJHindmarsh 2021-11-23T23:35:18Z