All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk App for Windows Infrastructure: Why are WinEventLog configurations not indexing any data?

amithhegde
New Member
‎08-12-2015 04:56 AM

I have the Windows Infrastructure app installed on a Windows machine. The monitor stanza and the powershell scripts are working fine, but the Winevent logs with the following config are not indexing any data.

[WinEventLog:DFS Replication]
 disabled=0
 sourcetype="WinEventLog:DFS Replication"
 index=winevents
 queue=parsingQueue

 # Application and Services Logs - Directory Service

 [WinEventLog:Directory Service]
 disabled=0
 sourcetype="WinEventLog:Directory Service"
 index=winevents
 queue=parsingQueue

 # Application and Services Logs - File Replication Service

 [WinEventLog:File Replication Service]
 disabled=0
 sourcetype="WinEventLog:File Replication Service"
 index=winevents
 queue=parsingQueue

Please guide me where am I going wrong?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-13-2015 02:12 PM

Two semi-general suggestions:

If it's installed on the local machine, is that local machine a Domain Controller?

You do have a "winevents" index on the indexer this gets sent to, right? If not, create that. I believe I had a problem where that app didn't create one of the indexes, though I don't recall which one. This could be your problem.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-14-2015 08:10 AM

Well, something I noticed and I have no idea if it's a problem or not, but all my DCs have their various sourcetypes set with no spaces in it.

For instance, on the one I checked, C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\default\inputs.conf says:

[WinEventLog://File Replication Service]
disabled=0
sourcetype=WinEventLog:File-Replication-Service
index=wineventlog
queue=parsingQueue

Try changing them to dashes and not spaces in those stanza and restart the UF?

0 Karma
Reply

amithhegde
New Member
‎08-14-2015 06:55 AM

Hi Rich,

Thanks for replyin, yes I have the "winevents" index created, and the machine I want to gt events from is not a local machine. But i have deployed the DomainController App on the machine in question.

Kindly let me know if I am missing something. Any suggestions on this would be really helpful.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top