topic Re: WinEventLog System in Getting Data In

WinEventLog System

santiagn — Fri, 23 Jun 2017 15:55:42 GMT

hi question regarding the wineventlog system collection.

for some reason splunk is only displaying event code 7036. i have a 2004 code that i am trying to log and set an alert but it is not picking it up for some reason. i see that 7036 is an information type and 2004 is a warning. what can i do to get 2004 to log?

Re: WinEventLog System

santiagn — Fri, 23 Jun 2017 16:04:48 GMT

update: im searching Last 30 days and its only logging today if that helps. 2004 event happened 10 days ago so i am not sure if the problem is that splunk is only logging todays events or if it can see any other events

Re: WinEventLog System

adonio — Tue, 29 Sep 2020 14:34:26 GMT

please share your inputs stanza for winevenlog system
supposed to be something like that:
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false

Re: WinEventLog System

santiagn — Tue, 29 Sep 2020 14:38:53 GMT

i only had disabled = 0 and my index, updated to what you mentioned and still no luck, only showing todays logs.

[WinEventLog://System]
disabled = 0
index=main
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false

Re: WinEventLog System

santiagn — Fri, 23 Jun 2017 17:08:55 GMT

figured it out,

changed start_from from oldest to newest

and current_only from 0 to 1