topic Re: Microsoft-Windows-PrintService/Operational Logs in Getting Data In

Microsoft-Windows-PrintService/Operational Logs

corommendoza — Mon, 30 Sep 2013 23:17:18 GMT

I want to monitor who is printing to which printer on my remote print server. Eventually I only want to see event ID 307 however, I'm unable to get any events from that log. I have added the following to my local/inputs.conf:

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/MonitorWindowsdata#Event_log_monitor_configuration_values says I need to import to the Windows Event Viewer but this is already there. I have entered the full path as shown here: http://answers.splunk.com/answers/6219/windows-2008-server-event-viewer-logs

What am I missing?

Thanks.

Re: Microsoft-Windows-PrintService/Operational Logs

lukejadamec — Mon, 30 Sep 2013 23:27:31 GMT

Silly questions, but...
Is the local/inputs.conf you mentioned in the forwarder on the hosts connected to the printer? It won't work on the indexer alone.
On the hosts, can you see the logs you're after in the Windows event viewer?

Re: Microsoft-Windows-PrintService/Operational Logs

corommendoza — Mon, 30 Sep 2013 23:47:29 GMT

I can see those logs on the host and I don't have a forwarder installed.
I'd like to query without having to install a forwarder. Can this be done?

Re: Microsoft-Windows-PrintService/Operational Logs

lukejadamec — Mon, 30 Sep 2013 23:55:03 GMT

If it can be done, then it would be with the WMI log interface. Gonna have to think about that one.

Re: Microsoft-Windows-PrintService/Operational Logs

lukejadamec — Tue, 01 Oct 2013 00:06:03 GMT

I've seen a few old posts about this that are unanswered, and no answered ones. This usually means a configuration problem.
Have you tried enabling WMI logging for these remote hosts?

Are you running the main splunkd service with a domain account that has access to these logs?

Re: Microsoft-Windows-PrintService/Operational Logs

corommendoza — Tue, 01 Oct 2013 15:04:56 GMT

Yes I can view events on that server remotely via event viewer. Splunk service is running with a domain account that has access.

Re: Microsoft-Windows-PrintService/Operational Logs

lukejadamec — Tue, 01 Oct 2013 15:58:36 GMT

I meant, have you tried enabling the Splunk WMI input for these logs?
Manager>Data Inputs>Remote Event Log Collections
Select Add New, enter server name, and try to "find the logs".

Re: Microsoft-Windows-PrintService/Operational Logs

corommendoza — Mon, 28 Sep 2020 14:52:23 GMT

Yes, I only get these:

Application
Security
System
Hardware Events
Internet Explorer
Key Management Service
MSExchange Management
Windows Powershell

I was poking around and edited /etc/apps/launcher/local/wmi.conf and added:

[WMI:Event Log: Print Servers]
disabled = 0
index = default
interval = 5
server = servername
event_log_file = Microsoft-Windows-PrintService/Operational

This adds to the Remote Event Log Collections but it still doesn't pull anything.

Re: Microsoft-Windows-PrintService/Operational Logs

lukejadamec — Tue, 01 Oct 2013 16:13:47 GMT

Try removing the spaces from [WMI:EventLog:PrintServers]
After you enable the WMI input, check the splunkd.log for errors. It may take a few minutes before it actually starts pulling data.

Re: Microsoft-Windows-PrintService/Operational Logs

corommendoza — Mon, 28 Sep 2020 14:52:30 GMT

Removed spaces and this is what I get in the log:

10-01-2013 11:22:12.990 -0700 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Microsoft-Windows-PrintService/Operational'
10-01-2013 11:22:12.990 -0700 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Microsoft-Windows-PrintService/Operational': total_events='0' with empty_msg='0'.

I checked server and I can see events in that log.

Re: Microsoft-Windows-PrintService/Operational Logs

lukejadamec — Tue, 01 Oct 2013 18:50:18 GMT

Have you searched the indexer for printserver?

If it could not find the log, then I'm pretty sure it would throw an error.

You might want to give it some time.

Re: Microsoft-Windows-PrintService/Operational Logs

corommendoza — Tue, 01 Oct 2013 18:52:09 GMT

I'll give it a few hours. I appreciate you helping me out with this luke.

Re: Microsoft-Windows-PrintService/Operational Logs

corommendoza — Wed, 02 Oct 2013 18:43:00 GMT

No success. I guess no one has gotten it to work this way.

Re: Microsoft-Windows-PrintService/Operational Logs

antlefebvre — Thu, 10 Oct 2013 01:18:04 GMT

I know you said you don't want to load the universal forwarder, but it is the easiest way to get this done. In my local\inputs.conf I have the following indexed into an index called printlog and it works flawlessly.

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
index = printlog

[WinEventLog:Microsoft-Windows-PrintService/Admin]
disabled = 0
index = printlog

Re: Microsoft-Windows-PrintService/Operational Logs

PaVedme — Tue, 29 Sep 2020 09:34:52 GMT

I found answer from http://forums.iis.net/p/1170786/1954080.aspx created on source machine a register "Key" at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Microsoft-Windows-PrintService/Operational

and everything worked properly.