https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244331#M47263 <P>Hello Splunkers,</P> <P>We are collecting the Security Event Log from Windows 2012 Server which has Universal Forwarder installed, and I found that some of the logs were not sent to Indexer even though UseAck=true.<BR /> Is there a anyway to send only the specific logs to Indexer?</P> <P>Thanks in advance,</P> Wed, 06 Jul 2016 01:54:07 GMT kuga_mbsd 2016-07-06T01:54:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244331#M47263 <P>Hello Splunkers,</P> <P>We are collecting the Security Event Log from Windows 2012 Server which has Universal Forwarder installed, and I found that some of the logs were not sent to Indexer even though UseAck=true.<BR /> Is there a anyway to send only the specific logs to Indexer?</P> <P>Thanks in advance,</P> Wed, 06 Jul 2016 01:54:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244331#M47263 kuga_mbsd 2016-07-06T01:54:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244332#M47264 <P>Hi kuga_mbsd, You could perhaps build a WMI query to get specific eventcodes, reviewing the documentation here might help : <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWMIdata#Examples_of_wmi.conf" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWMIdata#Examples_of_wmi.conf</A></P> <P>My next guess would be a script based oneshot gathering the events together as text (xml probably) and indexing the results.</P> <P>Please let me know if this answers your question! <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Tue, 29 Sep 2020 10:08:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244332#M47264 muebel 2020-09-29T10:08:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244333#M47265 <P>Hi muebel,</P> <P>Thank you for your answers.<BR /> Regarding the URL you gave me is pulling the logs on the remote Windows host, is that right?<BR /> Unfortunately Indexer doesn't have access to the server since Firewall is blocking.</P> <P>Do you think if Universal Forwarder will send the only specific logs by executing some commands?</P> <P>Thank you,</P> Wed, 06 Jul 2016 02:40:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244333#M47265 kuga_mbsd 2016-07-06T02:40:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244334#M47266 <P>Yup, you can use powershell to retrieve specific eventlogs described in more detail here : <A href="https://technet.microsoft.com/en-us/library/hh849834.aspx">https://technet.microsoft.com/en-us/library/hh849834.aspx</A></P> <P>i.e., </P> <PRE><CODE>Get-EventLog -LogName "*Security*" -Message "*the message you are looking for*" </CODE></PRE> Wed, 06 Jul 2016 12:47:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244334#M47266 muebel 2016-07-06T12:47:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244335#M47267 <P>The <CODE>UseAck=true</CODE> should help you prove where the breakdown did/not happen but there is no reason that the forwarding should not normally be reliable. I have some skepticism that "some" events did not make it in, if everything is configured correctly. We need to see your inputs.conf to be sure.</P> Wed, 06 Jul 2016 16:24:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resend-the-specific-event-log-from-Windows-Universal/m-p/244335#M47267 woodcock 2016-07-06T16:24:53Z