- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Splunk Add-on for Microsoft Windows: Why do...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm working on getting the Universal Forwarder install switches set so we can deploy this with SCCM on Windows servers (2012,2008, etc). Below is my CLI I'm using and running as Admin on the device:
c:\temp\splunkforwarder-6.2.2-255606-x64-release.msi RECEIVING_INDEXER="x.x.x.x:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=0 WINEVENTLOG_APP_ENABLE=0 AGREETOLICENSE=Yes /quiet /norestart /lv "c:\temp\splunkinstall.txt"
Issue is the splunk_TA_windows local inputs.conf (below) shows that security is disabled even though in the install i have it equal "1" & others equaling "0". If I'm correct, "0" means disabled and "1" means enabled. Plus, i'm not getting Security event, but i am getting other events (apps, sys) into splunk. Am I doing something wrong?
Inputs.conf -- file
[WinEventLog://Application]
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue is the splunk_TA_windows local
inputs.conf (below) shows that
security is disabled even though in
the install i have it equal "1" &
others equaling "0". If im correct "0"
means disabled and "1" means enabled.
0 is equivalent to "False" and 1 is equivalent to "True", so a setting of disabled = 0 (false) means enabled in inputs.conf. This example is enabled:
[WinEventLog://Security]
disabled = 0
Regardless of what the installer does, you can go in after the fact, make changes to stanzas in inputs.conf and say disabled=0 (i.e. make it enabled) wherever you want, and then restart Splunk for it to take effect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue is the splunk_TA_windows local
inputs.conf (below) shows that
security is disabled even though in
the install i have it equal "1" &
others equaling "0". If im correct "0"
means disabled and "1" means enabled.
0 is equivalent to "False" and 1 is equivalent to "True", so a setting of disabled = 0 (false) means enabled in inputs.conf. This example is enabled:
[WinEventLog://Security]
disabled = 0
Regardless of what the installer does, you can go in after the fact, make changes to stanzas in inputs.conf and say disabled=0 (i.e. make it enabled) wherever you want, and then restart Splunk for it to take effect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the installer switch was "WINEVENTLOG_SEC_DISABLE=X" instead of "WINEVENTLOG_SEC_ENABLE=" which would
match the inputs.conf file things would have made more sense. For me at least but im new and still learner the Splunk way.
Either way i got it and i understand. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think i understand the logic by putting "WINEVENTLOG_SEC_ENABLE=1" makes the "disable =0" (which means false , "do collect") in the inputs.conf file which actually means enable. I guess i could assume if there isn't an "disable=x" then it will use the default inputs.conf file setting which is "disable = 1" (which means true, "don't collect")
Is this the Splunk way of thinking?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, you are talking about two different things here, but the meaning of 1=True and 0=False does not change.
Running the installer, WINEVENTLOG_SEC_ENABLE=1 is indeed enabled.
In inputs.conf
[WinEventLog://Security]
disabled = 0
Also means enabled. Does that help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regardless of what you are doing with the installer though, you can make changes to stanzas in inputs.conf and say disabled=0 (making it enabled) wherever you want, and then restart Splunk for it to take effect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So are you saying in order to collect windows security events i need to have this "WINEVENTLOG_SEC_ENABLE=0" which is false but means enabled?
For what i read on splunk documentation is that in order to collect events it has to equal "1" which is true. So who is right?
(http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/DeployaWindowsdfviathecommandline)
--------------------- Splunk Documentation snippet ----------------------------
"Install the universal forwarder, enable indexing of the Windows security and system event logs, and run the installer in silent mode
You might do this to collect just the Security and System event logs through a "fire-and-forget" installation.
msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet"
-------------------------------------------------------------------------------------------- end of splunk doc --------------------
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
