I have running Windows Defender and want to collect logs to Splunk.
Logs not collected.
What should I do to fix it? I have no idea.
Did you deploy the add-on to the Windows host you wish to get the logs from?
Ideally, you would do this from the Forwarder Manager (Settings->Forwarder Management).
Copy the add-on from $SPLUNK/etc/apps to $SPLUNK/etc/deploy-apps.
Create a new folder "local" in $SPLUNK/etc/deploy-apps//
Copy the inputs.conf from the "default" folder to "local" (the one you just created)
Change "disabled = true" to "disabled = false"
Verify that the TA_microsoft-windefender folder is on the host you wish to get that data from and then you should be good to go.
Restart the forwarder service (services.msc) for good measure.
So, if i generating new event (downloaded poor virus that windefender detect) it's sends logs. One problem is resolved \o/
But another problem, how to collect all logs from Windefender?
Not only new. All from beginning to now. And yes in Event Viewer in
Microsoft-Windows-Windows Defender/Operational there are many logs.
This works for me:
index = windefender
disabled = false
renderXml = 1
I confirm logs coming into Splunk for index=windefender with that input. Confirm that your Windows Defender log location is correct for your system.