All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Logs not coming from Windows Defender

test_qweqwe
Builder
‎01-13-2018 07:36 AM

Hi
I have running Windows Defender and want to collect logs to Splunk.

  1. Windows Defender that running on my host Windows 10 Enterprise LTSB;
  2. Splunk 7.0 that collect logs local from my host;
  3. TA for Microsoft Windows Dedender;

Logs not collected.
What should I do to fix it? I have no idea.

0 Karma
Reply

mjeffery_splunk
Splunk Employee
Splunk Employee
‎01-13-2018 07:50 AM

Did you deploy the add-on to the Windows host you wish to get the logs from?

Ideally, you would do this from the Forwarder Manager (Settings->Forwarder Management).
Copy the add-on from $SPLUNK/etc/apps to $SPLUNK/etc/deploy-apps.
Create a new folder "local" in $SPLUNK/etc/deploy-apps//
Copy the inputs.conf from the "default" folder to "local" (the one you just created)
Change "disabled = true" to "disabled = false"

Verify that the TA_microsoft-windefender folder is on the host you wish to get that data from and then you should be good to go.

Restart the forwarder service (services.msc) for good measure.

0 Karma
Reply

test_qweqwe
Builder
‎01-13-2018 07:55 AM

I did it all and it's not helped.

0 Karma
Reply

mjeffery_splunk
Splunk Employee
Splunk Employee
‎01-13-2018 01:42 PM

Bring up the Event Viewer on the Windows box you're trying to get those logs from and verify that it is indeed logging the events under "Applications and Services Logs"

0 Karma
Reply

test_qweqwe
Builder
‎01-13-2018 01:57 PM

So, if i generating new event (downloaded poor virus that windefender detect) it's sends logs. One problem is resolved \o/

But another problem, how to collect all logs from Windefender?
Not only new. All from beginning to now. And yes in Event Viewer in Microsoft-Windows-Windows Defender/Operational there are many logs.

0 Karma
Reply

test_qweqwe
Builder
‎01-13-2018 02:10 PM

My config

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = windefender
disabled = false
start_from = oldest
current_only = 0
renderXml = 1
0 Karma
Reply

pdoconnell
Path Finder
‎01-13-2018 03:23 PM

This works for me:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = windefender
disabled = false
renderXml = 1

I confirm logs coming into Splunk for index=windefender with that input. Confirm that your Windows Defender log location is correct for your system.

0 Karma
Reply

test_qweqwe
Builder
‎01-13-2018 03:28 PM

Hi!
In my previous comment I said that logs coming, but only new. I need historical (old) and new logs.

0 Karma
Reply

pdoconnell
Path Finder
‎01-13-2018 03:38 PM

It looks like the start_from and current_only stanzas dont appear anymore in the inputs.conf definition. Maybe it is no longer supported?

0 Karma
Reply

test_qweqwe
Builder
‎01-13-2018 05:43 PM

Maybe, but how me collect all logs of windefender that i have on my PC? 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...