All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for Windows Infrastructure: Why are WinEventLog configurations not indexing any data?

amithhegde
New Member
‎08-12-2015 04:56 AM

I have the Windows Infrastructure app installed on a Windows machine. The monitor stanza and the powershell scripts are working fine, but the Winevent logs with the following config are not indexing any data.

[WinEventLog:DFS Replication]
 disabled=0
 sourcetype="WinEventLog:DFS Replication"
 index=winevents
 queue=parsingQueue

 # Application and Services Logs - Directory Service

 [WinEventLog:Directory Service]
 disabled=0
 sourcetype="WinEventLog:Directory Service"
 index=winevents
 queue=parsingQueue

 # Application and Services Logs - File Replication Service

 [WinEventLog:File Replication Service]
 disabled=0
 sourcetype="WinEventLog:File Replication Service"
 index=winevents
 queue=parsingQueue

Please guide me where am I going wrong?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-13-2015 02:12 PM

Two semi-general suggestions:

If it's installed on the local machine, is that local machine a Domain Controller?

You do have a "winevents" index on the indexer this gets sent to, right? If not, create that. I believe I had a problem where that app didn't create one of the indexes, though I don't recall which one. This could be your problem.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-14-2015 08:10 AM

Well, something I noticed and I have no idea if it's a problem or not, but all my DCs have their various sourcetypes set with no spaces in it.

For instance, on the one I checked, C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\default\inputs.conf says:

[WinEventLog://File Replication Service]
disabled=0
sourcetype=WinEventLog:File-Replication-Service
index=wineventlog
queue=parsingQueue

Try changing them to dashes and not spaces in those stanza and restart the UF?

0 Karma
Reply

amithhegde
New Member
‎08-14-2015 06:55 AM

Hi Rich,

Thanks for replyin, yes I have the "winevents" index created, and the machine I want to gt events from is not a local machine. But i have deployed the DomainController App on the machine in question.

Kindly let me know if I am missing something. Any suggestions on this would be really helpful.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...