topic Re: How can I get the remote Windows Logs? in Getting Data In

How can I get the remote Windows Logs?

mailmetoramu — Mon, 04 Jun 2018 11:32:07 GMT

Hi All,

Have installed Universal forwarder in my remote windows machine. Actually, have tried configuring ''Remote event Logs'' which was under ''Add Data''.

While configuring this, it's asking for the remote window machine name & while entering it's throwing the below error :

''Unable to get wmi classes from host 'XXYYZZ'. This host may not be reachable or WMI may be misconfigured''

Can anyone help on this to get my remote windows logs?

Thanks,

Ramu.R

Re: How can I get the remote Windows Logs?

FrankVl — Mon, 04 Jun 2018 11:54:34 GMT

If you want to collect the logs through the UF, then you shouldn't use Add Data -> Remote Windows Logs on your Enterprise instance (at least I assume that's where you were trying that?). You need to either configure the inputs locally on the UF, or by using forwarder management from an Enterprise instance (turning that into a Deployment Server for your UFs).

Re: How can I get the remote Windows Logs?

mailmetoramu — Tue, 29 Sep 2020 19:45:57 GMT

Hi Frank,

Have configured the inputs.conf file on my Universal Forwarder in my remote windows machine & restarted the forwarder, but after that also i m not getting any logs into my splunk enterprise instance. Please find the configuration as below :

[script ://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[monitor ://C :\logs\remote_access.log]
sourcetype = remote_access_logs
index = remotelogs

[WinEventLog ://Application]
index=remotelogs

[WinEventLog ://Security]
index=remotelogs

[WinEventLog ://System]
index=remotelogs

Re: How can I get the remote Windows Logs?

FrankVl — Tue, 05 Jun 2018 06:55:08 GMT

You need to remove the spaces from those stanzas. Also: have you configured the UF to forward to the Enterprise instance (and are its internal logs indeed coming through)?

Re: How can I get the remote Windows Logs?

mailmetoramu — Tue, 05 Jun 2018 10:49:22 GMT

Yes have configured & i m getting internal logs (Splunk Logs) from my remote windows machine. Anywazz let me try removing space between the stanzas.

Re: How can I get the remote Windows Logs?

FrankVl — Tue, 05 Jun 2018 10:55:16 GMT

To clarify what I meant, it should be: [WinEventLog://System] not [WinEventLog ://System]

Re: How can I get the remote Windows Logs?

mailmetoramu — Tue, 05 Jun 2018 11:12:19 GMT

Got it, Thank You.

Re: How can I get the remote Windows Logs?

mailmetoramu — Tue, 05 Jun 2018 11:24:02 GMT

Please let me know the exact search query language to fetch the logs, actually i m using the below one :

index=''remotelogs'' sourcetype=''WinEventLog*'' (no results found for this)

Re: How can I get the remote Windows Logs?

FrankVl — Tue, 05 Jun 2018 12:01:50 GMT

You're not setting any sourcetype in inputs.conf. I'm not 100% if maybe some default config fixes that for windows events, but you might want to properly assign it in inputs.conf. Search for just the index=remotelogs to see if the issue is with the sourcetype not being what you expect.

If the sourcetype is fine, you'll need to do some further troubleshooting.

Does that index exist on your enterprise instance?
Any errors/warnings in splunkd.log on the UF?

Re: How can I get the remote Windows Logs?

mailmetoramu — Tue, 05 Jun 2018 12:28:05 GMT

My Final Inputs.Conf File :

[default]
host=XXYYZZ

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled=0

[monitor://C:\Program Files]

[WinEventLog://Application]
index=''_internal''

[WinEventLog://Security]
index=''_internal''

[WinEventLog://System]
index=''_internal''

Tried below query :

Index=_Internal

Got this below message :

Received event for unconfigured/disabled/deleted index=''_internal'' with source="source::WinEventLog:System" host="host::XXYYZZ" sourcetype="sourcetype::WinEventLog:System". So far received events from 2 missing index(es).

Can we create new Index on Splunk Enterprise ??

Re: How can I get the remote Windows Logs?

FrankVl — Tue, 05 Jun 2018 13:48:53 GMT

Such event logs should not be sent into _internal index. That is meant for Splunk Internal logs.
Previously you had it configured to send to remotelogs index, did you get similar errors about index being missing? If so: go to index configuration on your enterprise instance and create the remotelogs index and use that in your inputs.conf.

Re: How can I get the remote Windows Logs?

mailmetoramu — Tue, 05 Jun 2018 14:20:11 GMT

Thanks a lot Mr.Frank, got worked , you rock man 🙂