https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181146#M36337 <P>A few more questions/comments to help pinpoint where things are going wrong:</P> <UL> <LI>Is it a local user or domain user? <UL> <LI> Does the service start fine when you manually try it after a reboot?</LI> </UL></LI> <LI>Set it to autostart(delayed) instead of just autostart and see if it works then.</LI> <LI>Try is to set it temporarily to use the local SYSTEM login and see if that works.</LI> </UL> <P>Note that if you set it to autostart(delayed) it can take several minutes to actually start, so don't be in a hurry.</P> <P>after You can start by reading <STRONG>splunkd.log</STRONG> files on your forwarders, it's can be found at <STRONG>$SPLUNK_HOME$/var/log/splunk</STRONG> folder. This log use be very helpful.</P> <P>I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.</P> <PRE><CODE> [WinEventLogs: Kaspersky Event Logs] disabled = 0 start_from = oldest </CODE></PRE> <P>Then, restart the SplunkForwarder Service.</P> Sat, 27 Jun 2015 10:10:12 GMT fdi01 2015-06-27T10:10:12Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181145#M36336 <P>Hello,</P> <P>I'd like to monitor the logs of Kaspersky Security Center with Splunk . I found that I should add in inputs.conf on the forwarders :</P> <PRE><CODE>[WinEventLog://Kaspersky Event Log] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = kaspersky renderXml = false </CODE></PRE> <P>I do this and I restart the service of the forwarder, but after doing this, the forwarder is stopped !!</P> <P>Any one can help me to monitor the logs of Kaspersky?</P> <P>Thank you very much</P> Sat, 27 Jun 2015 09:16:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181145#M36336 Rimah 2015-06-27T09:16:18Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181146#M36337 <P>A few more questions/comments to help pinpoint where things are going wrong:</P> <UL> <LI>Is it a local user or domain user? <UL> <LI> Does the service start fine when you manually try it after a reboot?</LI> </UL></LI> <LI>Set it to autostart(delayed) instead of just autostart and see if it works then.</LI> <LI>Try is to set it temporarily to use the local SYSTEM login and see if that works.</LI> </UL> <P>Note that if you set it to autostart(delayed) it can take several minutes to actually start, so don't be in a hurry.</P> <P>after You can start by reading <STRONG>splunkd.log</STRONG> files on your forwarders, it's can be found at <STRONG>$SPLUNK_HOME$/var/log/splunk</STRONG> folder. This log use be very helpful.</P> <P>I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.</P> <PRE><CODE> [WinEventLogs: Kaspersky Event Logs] disabled = 0 start_from = oldest </CODE></PRE> <P>Then, restart the SplunkForwarder Service.</P> Sat, 27 Jun 2015 10:10:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181146#M36337 fdi01 2015-06-27T10:10:12Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181147#M36338 <P>Thank you for your response you find below the responses of your questions:</P> <P>local user or domain user? local user<BR /> Does the service start fine when you manually try it after a reboot? yes</P> <P>This problem come only if i add the instructyions in inputs.conf of kaspersky ? <BR /> when I delete these lines splunk universal forwarder continue work fine !</P> <P>My be I do a mistak in the inputs .conf for kaspersky <BR /> [WinEventLog://Kaspersky Event Log]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> checkpointInterval = 5<BR /> index = kaspersky<BR /> renderXml = false</P> <P>Please correct these lines if there is a mistake or tell me how can I monitor the logs of kaspersky??<BR /> The only way to index Kaspersky logs is by adding these lines in inputs.conf??<BR /> Thank you !</P> Mon, 28 Sep 2020 20:24:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181147#M36338 Rimah 2020-09-28T20:24:25Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181148#M36339 <P>I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.</P> <P>[WinEventLogs: Kaspersky Event Logs]<BR /> disabled = 0<BR /> start_from = oldest</P> <P>Then, restart the SplunkForwarder Service.</P> Sat, 27 Jun 2015 19:17:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181148#M36339 fdi01 2015-06-27T19:17:43Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181149#M36340 <P>Hello ; </P> <P>Thank you for your response , I add this lines without any result . You will find below the error message :</P> <P>Invalid key in stanza [WinEventLogs: Kaspersky Event Logs] in C:<BR /> \Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf, line 6: st<BR /> art_from (value: oldest)</P> <P>Do you please have any idea on how to solve this issue</P> Mon, 29 Jun 2015 12:42:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/181149#M36340 Rimah 2015-06-29T12:42:09Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/540073#M90439 <P>But does these mapping parse the data so that it populates in ES</P> Tue, 16 Feb 2021 11:03:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-Kaspersky-Security-Center-logs-in-Splunk/m-p/540073#M90439 MTD 2021-02-16T11:03:33Z