I have installed the Splunk Add-on for Microsoft Windows and have below settings in inputs.conf, but I'm still unable to see the security logs. I checked on the Windows and Active Directory servers and the evtx logs exist.
[WinEventLog://Security] disabled = 0 whitelist = 4625,4624,4634,4767 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=false suppress_text = 1
I'd ask the easy question first. Are you searching in index=wineventlog? Or have your role to search all internal indexes?
This response likely doesn't rate as an answer yet.
Having same problem. WinEventLog://System is working on from the same inputs.conf file and I have winevetlog index available.
Couple of questions:
Hi, i don't get your last point.
There should only be one service on your server that is running your Splunk Universal Forwarder instance, is this running as LOCAL SYSTEM or as "splunkforwarder" user?
If the latter, could you try to give the user temporary local admin rights and then restart your Splunk service.
By default System and Application logs are less restrictive on Windows machines and local users should be able to read those even if they are not local administrators. Security logs tend to require extra rights.
It was running as "Local System". I created "splunkforwarder" with local admins and log rights. At first I didn't get anything special so I made some Group Policy checks and left for home. During the night logs have started to come to indexer. Might've been a policy issue...?
Thanks for your help! 😃
I'm glad it works now.
By the way, could you accept one of the answers in order to fully close this question?