topic Applications and Services Logs in Getting Data In

Applications and Services Logs

marcmoennikes — Mon, 23 May 2011 10:06:12 GMT

Hello,

i want to collect events in the Windows 2008 (r2) event logs -> "Application and Services Logs" -> "microsoft" -> "Windows".
When i use the "add data" -> "windows event logs" in the splunk gui, i only see Eventlogs in the first hierarchie, like "system", "application", "powershell", "security" and so on.
Is there any additional configuration needed to collect the events, which are shown under "Application and Services Logs"?
Do i need snare or a forwarder?

Thank you
Regards

Marc

Re: Applications and Services Logs

piebob — Mon, 23 May 2011 18:37:44 GMT

i'm not sure i understand the question--are you saying you have added the system/application/security/etc event logs as inputs and you do not see the events from them? are you trying to collect these events from a remote host?

Re: Applications and Services Logs

marcmoennikes — Mon, 23 May 2011 19:13:52 GMT

Hello,

thanks for your reply. I want to add events from logs which resides "deeper" in the event log structure in windows 2008R2.
When i open the vent viewer i have a folder "Application and Services Logs". Under this folder "microsoft" , "microsoft" and then the specific logs for different windows server roles like remote desktop connection broker, print service and so on.

Regards

Marc

Re: Applications and Services Logs

piebob — Mon, 23 May 2011 19:57:55 GMT

you can monitor non-default Windows event logs by adding them to a local copy of your inputs.conf file:
http://www.splunk.com/base/Documentation/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_configure_event_log_monitoring

you apparently have to import these eventlogs to the Windows Event Viewer beforehand, and then you can add a stanza for the specific event log.
i don't believe it's possible to add these non-default event logs via Splunk Web.

Re: Applications and Services Logs

ftk — Tue, 24 May 2011 15:34:13 GMT

If you install Splunk on Windows 2008 and run it as an account with the appropriate privileges (e.g. Local System), you should be able to see all available event logs -- I know I can on my 2008 installs.

You can also add monitors for these logs manually in inputs.conf. For Event viewer/Applications and Services/Microsoft/Windows/UAC/Operational for example you can add

[WinEventLog:Microsoft-Windows-UAC/Operational]
disabled = 0

Re: Applications and Services Logs

piebob — Wed, 25 May 2011 01:27:35 GMT

ftk is the best!

Re: Applications and Services Logs

AaronMoorcroft — Mon, 28 Sep 2020 16:21:04 GMT

I managed it with this -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0

Re: Applications and Services Logs

sadkha — Tue, 16 Sep 2014 14:09:43 GMT

Hi FTK,

I'm trying to collect data from an EDM server, which is directly under Applications and Services Logs. The log path is:

%SystemRoot%\System32\Winevt\Logs\EDM Server.evtx

I've tried variations of [WinEventLog:Logs\EDM Server] and [WinEventLog:Applications and Services Logs\EDM Server] but it doesn't seem to work. any idea?