https://community.splunk.com/t5/Getting-Data-In/Windows-EventLog-details-Exchange-Management-Log/m-p/49503#M96761 <P>And be sure to check out the PowerShell add-on, it lets you paste a PowerShell script into inputs.conf if you want. <A href="http://apps.splunk.com/app/1477">http://apps.splunk.com/app/1477</A></P> Mon, 09 Sep 2013 18:10:02 GMT halr9000 2013-09-09T18:10:02Z https://community.splunk.com/t5/Getting-Data-In/Windows-EventLog-details-Exchange-Management-Log/m-p/49500#M96758 <P>In Server 2008 and above the Windows Event Log has a general tab and a details tab.<BR /> Splunk is great at polling and indexing the general tab but the Details tab, whether the Friendly view or the XML view also has data that is critical to troubleshooting.</P> <P>My case in point:<BR /> Exchange 2010 event log WinEventLog:MSExchange Management is being polled and indexed. An event looks like this:</P> <PRE><CODE>20121128102958.000000 Category=1 CategoryString=General EventCode=6 EventIdentifier=-1073741818 EventType=1 Logfile=MSExchange Management RecordNumber=428075 SourceName=MSExchange CmdletLogs TimeGenerated=20121128162958.000000-000 TimeWritten=20121128162958.000000-000 Type=Error User=NULL ComputerName=EXCHANGESERVER.DOMAIN.COM wmi_type=WinEventLog:MSExchange Management Message=Cmdlet failed. Cmdlet Add-DistributionGroupMember, parameters {Identity="GUID=big-long-serial-number", Member="distinguishedName of user", Confirm=False}. </CODE></PRE> <P>The error message that the Cmdlet failed is not specific enough.<BR /> In the details tab this same event may have many different reasons. Here are two:</P> <PRE><CODE>Microsoft.Exchange.Management.Tasks.MemberAlreadyExistsException: The recipient "distinguishedName of user" is already a member of the group "distinguishedName of distribution group". Microsoft.Exchange.Data.Directory.ADScopeException: "distinguishedName of distribution group" isn't within your current write scopes. Can't perform save operation. </CODE></PRE> <P>Similar event, two different reasons. One reason requires attention, the other can be ignored.</P> <P>So my question is how can Splunk index this detail data behind the general event information?</P> Thu, 29 Nov 2012 18:28:29 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-EventLog-details-Exchange-Management-Log/m-p/49500#M96758 pcjunkie 2012-11-29T18:28:29Z https://community.splunk.com/t5/Getting-Data-In/Windows-EventLog-details-Exchange-Management-Log/m-p/49501#M96759 <P>So after some asking around it appears that the Splunk event reader engine cannot get the detail I'm looking for.<BR /><BR /> I will be opening a feature request to see if this can be added to a future release.</P> Wed, 05 Dec 2012 15:13:30 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-EventLog-details-Exchange-Management-Log/m-p/49501#M96759 pcjunkie 2012-12-05T15:13:30Z https://community.splunk.com/t5/Getting-Data-In/Windows-EventLog-details-Exchange-Management-Log/m-p/49502#M96760 <P>As a workaround to the point that @pcjunkie made, you could get the data another way. I would play with the Get-WinEvent cmdlet, and the resulting Properties property. I <EM>think</EM> that's where the details go, but am not 100% certain.</P> <PRE><CODE>PS C:\Users\hrottenberg&gt; Get-WinEvent -LogName "Microsoft-Windows-TaskScheduler/Operational" -MaxEvents 1 | fl * Message : Task Scheduler shutdown Task Engine "S-1-5-21-1559891614-3024993685-3922480044-1000:LAB-WIN-SVR-1\hrottenberg:Interactive:LUA[1]" process. Id : 318 Version : 0 Qualifiers : Level : 4 Task : 318 Opcode : 2 Keywords : -9223372036854775808 RecordId : 207793 ProviderName : Microsoft-Windows-TaskScheduler ProviderId : de7b24ea-73c8-4a09-985d-5bdadcfa9017 LogName : Microsoft-Windows-TaskScheduler/Operational ProcessId : 880 ThreadId : 2708 MachineName : lab-win-svr-1.bd.splunk.com UserId : S-1-5-18 TimeCreated : 9/9/2013 1:49:01 PM ActivityId : RelatedActivityId : ContainerLog : microsoft-windows-taskscheduler/operational MatchedQueryIds : {} Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark LevelDisplayName : Information OpcodeDisplayName : Stop TaskDisplayName : Task engine properly shut down KeywordsDisplayNames : {} Properties : {System.Diagnostics.Eventing.Reader.EventProperty} PS C:\Users\hrottenberg&gt; Get-WinEvent -LogName "Microsoft-Windows-TaskScheduler/Operational" -MaxEvents 1 | select -ExpandProperty properties Value ----- S-1-5-21-1559891614-3024993685-3922480044-1000:LAB-WIN-SVR-1\hrottenberg:Interactive:LUA[1] </CODE></PRE> Mon, 09 Sep 2013 18:03:17 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-EventLog-details-Exchange-Management-Log/m-p/49502#M96760 halr9000 2013-09-09T18:03:17Z https://community.splunk.com/t5/Getting-Data-In/Windows-EventLog-details-Exchange-Management-Log/m-p/49503#M96761 <P>And be sure to check out the PowerShell add-on, it lets you paste a PowerShell script into inputs.conf if you want. <A href="http://apps.splunk.com/app/1477">http://apps.splunk.com/app/1477</A></P> Mon, 09 Sep 2013 18:10:02 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-EventLog-details-Exchange-Management-Log/m-p/49503#M96761 halr9000 2013-09-09T18:10:02Z