topic Re: Forwarding windows event viewer logs to Splunk in Getting Data In

Forwarding windows event viewer logs to Splunk

kkossery — Thu, 23 Jan 2014 22:19:22 GMT

I have installed Splunk on a Linux box and is listening for incoming on 9997. Our linux boxes send its syslog to it and work fine.
The Windows boxes however do not send any event viewer logs. I installed SplunkForwarder on it and followed the prompts where I entered the Receiver server and port 9997. Also restarted the splunk service just in case.
What additional configurations are to be done to ensure Event Viewer logs/AD monitoring start to populate my Splunk sitting on the Linux box.
I'm able to telnet to 9997 from Windows to Linux so it is not an access issue.

Re: Forwarding windows event viewer logs to Splunk

kristian_kolb — Thu, 23 Jan 2014 22:28:07 GMT

Did you read the following topics in the docs?

http://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata

Re: Forwarding windows event viewer logs to Splunk

kkossery — Fri, 24 Jan 2014 00:30:32 GMT

Thank you for these links. However, I see some things are missing here,

Configure remote event log monitoring
1. Click Settings in the upper right-hand corner of Splunk Web.

Under Data, click Data Inputs.
Click Remote event log collections.
Click Add new to add an input.

I do not see Remote event log collections under Data Inputs. Do I need to activate something on my Linux box Splunk to show this.

Re: Forwarding windows event viewer logs to Splunk

kkossery — Mon, 27 Jan 2014 18:39:06 GMT

i have tried doing this again on another Windows box and I'm unable to install the program that will forward logs to the Splunk box. Can someone help?

Re: Forwarding windows event viewer logs to Splunk

dglinder — Mon, 27 Jan 2014 19:34:37 GMT

More details than "unable to install" would help.

Re: Forwarding windows event viewer logs to Splunk

dglinder — Mon, 27 Jan 2014 19:36:01 GMT

When you installed the Splunk Universal Forwarder on the Windows system, did you check the appropriate check-boxes on the "Enable Windows Inputs" page near the end of the install?

If not, you'll need to enable them on the Windows systems "inputs.conf" file - link:see this page for details

TL;DR notes:
Edit the inputs.conf on the Windows system (usually C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf) and add these lines:

[WinEventLog://Application]

disabled = 0

[WinEventLog://Security]

disabled = 0

[WinEventLog://System]

disabled = 0

You'll need to restart the SplunkUniversalForwarder service on the Windows system. Your Splunk index should start receiving these events.

Re: Forwarding windows event viewer logs to Splunk

kkossery — Tue, 28 Jan 2014 13:27:05 GMT

Installing on a different Windows box worked with the above settings. Thanks.

Re: Forwarding windows event viewer logs to Splunk

koolvasco — Wed, 29 Nov 2017 14:57:23 GMT

I am getting the logs by installing splunk universal forwarder on my server and by modifying inputs.conf as shown below

[WinEventLog://Security]
disabled = 0

but can somebody please tell me, that i need only event ids 6276 and 6278 only, not all events?

Re: Forwarding windows event viewer logs to Splunk

patel1515 — Mon, 02 Aug 2021 17:34:19 GMT

Hey, I am wondoring How Can I send Log files from linux to windows? I downloaded splunk in windows and forwarder in linux. I can telnet 9997 from linux to windows but I don't know how to send a files. can anybody help me with it?