topic Re: Cannot receive WinEventLog via inputs.conf in Getting Data In

Cannot receive WinEventLog via inputs.conf

johant — Tue, 29 Sep 2020 16:46:17 GMT

My current setup:

Splunk Indexer (Deployment Server)
Domain Controller (Windows Server 2008) - UF installed as Deployment Client

I wanted to use Windows App Infrastructure to read the logs, so I followed this documentation https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/ConfiguretheSplunkAppforWindowsInfrastructure.

I have installed all add-ons required on both Splunk Indexer and Domain Controller. The networking and firewall rules are all fine because I can receive "Active Directory" logs in the Indexer.

However, I cannot get any WinEventLog(Security, Application, System) eventhough I have enabled the monitoring in inputs.conf (\etc\deployment-apps\Splunk_TA_windows\local\inputs.conf)
This is how my inputs.conf looks like:

OS Logs

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

Can anyone tell me the reason why I cannot get those logs to Indexer?
Thanks

Re: Cannot receive WinEventLog via inputs.conf

gcusello — Mon, 13 Nov 2017 07:46:32 GMT

Hi johant,
there are some checks to perform on your systema to find the problem:

are wineventlogs enabled on your Domain Controller?
did you checked if Domain Controller and Indexer have the same time?
check using ./splunk cmd btool inputs list --debug > inputs.txt if there are other wineventlogs configurations where WinEventLog://Security is disabled

Bye.
Giuseppe

Re: Cannot receive WinEventLog via inputs.conf

hardikJsheth — Mon, 13 Nov 2017 09:11:49 GMT

Did you choose restart your forwarder option after deployment when configuring server class on your deployment server? If you make any change to your input stanzas, you need to restart your splunk forwarder. Choose the option to restart the forwarder and again push your bundle.

Re: Cannot receive WinEventLog via inputs.conf

johant — Wed, 15 Nov 2017 22:18:25 GMT

Hi Giuseppe,

Can you tell me how to check that? I can see the event on the windows 'Event Viewer' so I assume it should be enabled?
Yes, both of them have the same system time.
I ran this command and I cannot see WinEventLog://Security ,Application, System listed on the inputs.txt. How do I make sure that those WinEventLog are listed in there?

Thanks

Re: Cannot receive WinEventLog via inputs.conf

johant — Wed, 15 Nov 2017 22:20:10 GMT

Hi Hardik,

No i did not enabled that option, however I manually restart the UF and I stil cannot get the logs to my indexer.
Is it a best practice to automatically restart the forwarder everytime I make a deployment?

Thanks

Re: Cannot receive WinEventLog via inputs.conf

gcusello — Thu, 16 Nov 2017 10:28:25 GMT

sorry but maybe I was misunderstood: this command must be run on the forwarder not on indexer:

splunk cmd btool inputs list --debug > inputs.txt

Bye.
Giuseppe

Re: Cannot receive WinEventLog via inputs.conf

johant — Thu, 16 Nov 2017 21:38:06 GMT

Yes, I ran that on the forwarder and I still cannot find WinEventLog://Security.
It is all right now, I re-installed the forwarder in the windows machine and when i run those command I can see all inputs that I wanted.

Re: Cannot receive WinEventLog via inputs.conf

gcusello — Tue, 29 Sep 2020 16:53:29 GMT

Just an additional bit: at installation, Splunk Forwarder on Windows usually configures Wineventlog ingestion.
To avoid problems like the ones you have, I usually disable this ingestion and I install Splunk_TA_Windows, configured on my project needs, always using a Deployment Server.

Bye.
Giuseppe

Re: Cannot receive WinEventLog via inputs.conf

hardikJsheth — Wed, 29 Nov 2017 07:30:22 GMT

It will depend on type of applications that you are pushing to forwarder. But to be on safer side you can keep this option selected.

Re: Cannot receive WinEventLog via inputs.conf

SumitPan — Mon, 19 Mar 2018 15:23:30 GMT

How did you enable these logs. I'm failed to change disabled=0 for System and Applications. Even though I'm trying to perform it post stopping Splunkd but still receiving an error that file is opened somewhere.

Re: Cannot receive WinEventLog via inputs.conf

johant — Mon, 19 Mar 2018 21:55:07 GMT

Hi SumitPan,

I assumed you grab the logs using Universal Forwarder? If so, you have to make sure that you choose "custom installation" otherwise UF will sent all windows logs by default and I found that we cannot change that in the inputs.conf.

Regards,
Johan Tanadi