topic Monitoring Windows Event Logs in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Monitoring-Windows-Event-Logs/m-p/392741#M70165 <P>Windows Event Log files (.evtx) monitoring stop working after a while and the Splunk universal forwarder has to be restarted to start data collection again. </P> <P>Here is the [monitor] stanza configured to monitor the Windows Event Log files (.evtx): <BR /> [monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerActivity.evtx]<BR /> disabled = 0<BR /> index = WinEvent</P> <P>[monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerManagement.evtx]<BR /> disabled = 0<BR /> index = WinEvent</P> Mon, 08 Apr 2019 07:58:09 GMT keio_splunk 2019-04-08T07:58:09Z Monitoring Windows Event Logs https://community.splunk.com/t5/Getting-Data-In/Monitoring-Windows-Event-Logs/m-p/392741#M70165 <P>Windows Event Log files (.evtx) monitoring stop working after a while and the Splunk universal forwarder has to be restarted to start data collection again. </P> <P>Here is the [monitor] stanza configured to monitor the Windows Event Log files (.evtx): <BR /> [monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerActivity.evtx]<BR /> disabled = 0<BR /> index = WinEvent</P> <P>[monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerManagement.evtx]<BR /> disabled = 0<BR /> index = WinEvent</P> Mon, 08 Apr 2019 07:58:09 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-Windows-Event-Logs/m-p/392741#M70165 keio_splunk 2019-04-08T07:58:09Z Re: Monitoring Windows Event Logs https://community.splunk.com/t5/Getting-Data-In/Monitoring-Windows-Event-Logs/m-p/392742#M70166 <P>Universal forwarder will not poll for inputs for window events when specifying the [monitor] if interval is not specified. <BR /> i.e. <BR /> [monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerActivity.evtx] <BR /> disabled = 0 <BR /> index = WinEvent</P> <P>Solution 1: Specify an interval value for the [monitor] stanza: <BR /> [monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerActivity.evtx] <BR /> interval = 60 <BR /> disabled = 0 <BR /> index = WinEvent</P> <P>Solution 2: Use [WinEventLog] stanza for Windows Event Log files monitoring: <BR /> [WinEventLog://VisualSVNServerActivity] <BR /> disabled = 0 <BR /> index = WinEvent</P> <P>Refer to <A href="https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/MonitorWindowseventlogdata">Monitor Windows event log data</A>.</P> Mon, 08 Apr 2019 08:07:22 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-Windows-Event-Logs/m-p/392742#M70166 keio_splunk 2019-04-08T08:07:22Z