All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Splunk Add-on for Microsoft Windows: Why does the universal forwarder local inputs.conf show [WinEventLog://Security] as disabled?

fletch13
Explorer
‎04-01-2015 11:50 AM

I'm working on getting the Universal Forwarder install switches set so we can deploy this with SCCM on Windows servers (2012,2008, etc). Below is my CLI I'm using and running as Admin on the device:

c:\temp\splunkforwarder-6.2.2-255606-x64-release.msi RECEIVING_INDEXER="x.x.x.x:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=0 WINEVENTLOG_APP_ENABLE=0 AGREETOLICENSE=Yes /quiet /norestart /lv "c:\temp\splunkinstall.txt"

Issue is the splunk_TA_windows local inputs.conf (below) shows that security is disabled even though in the install i have it equal "1" & others equaling "0". If I'm correct, "0" means disabled and "1" means enabled. Plus, i'm not getting Security event, but i am getting other events (apps, sys) into splunk. Am I doing something wrong?

Inputs.conf -- file

[WinEventLog://Application]
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎04-01-2015 12:41 PM

Issue is the splunk_TA_windows local
inputs.conf (below) shows that
security is disabled even though in
the install i have it equal "1" &
others equaling "0". If im correct "0"
means disabled and "1" means enabled.
0 is equivalent to "False" and 1 is equivalent to "True", so a setting of disabled = 0 (false) means enabled in inputs.conf. This example is enabled:

 [WinEventLog://Security]
 disabled = 0

Regardless of what the installer does, you can go in after the fact, make changes to stanzas in inputs.conf and say disabled=0 (i.e. make it enabled) wherever you want, and then restart Splunk for it to take effect.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎04-01-2015 12:41 PM

Issue is the splunk_TA_windows local
inputs.conf (below) shows that
security is disabled even though in
the install i have it equal "1" &
others equaling "0". If im correct "0"
means disabled and "1" means enabled.
0 is equivalent to "False" and 1 is equivalent to "True", so a setting of disabled = 0 (false) means enabled in inputs.conf. This example is enabled:

 [WinEventLog://Security]
 disabled = 0

Regardless of what the installer does, you can go in after the fact, make changes to stanzas in inputs.conf and say disabled=0 (i.e. make it enabled) wherever you want, and then restart Splunk for it to take effect.

0 Karma
Reply
Solved! Jump to solution

fletch13
Explorer
‎04-01-2015 01:40 PM

If the installer switch was "WINEVENTLOG_SEC_DISABLE=X" instead of "WINEVENTLOG_SEC_ENABLE=" which would
match the inputs.conf file things would have made more sense. For me at least but im new and still learner the Splunk way.
Either way i got it and i understand. Thanks.

0 Karma
Reply
Solved! Jump to solution

fletch13
Explorer
‎04-01-2015 01:13 PM

I think i understand the logic by putting "WINEVENTLOG_SEC_ENABLE=1" makes the "disable =0" (which means false , "do collect") in the inputs.conf file which actually means enable. I guess i could assume if there isn't an "disable=x" then it will use the default inputs.conf file setting which is "disable = 1" (which means true, "don't collect")

Is this the Splunk way of thinking?

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎04-01-2015 01:34 PM

So, you are talking about two different things here, but the meaning of 1=True and 0=False does not change.

Running the installer, WINEVENTLOG_SEC_ENABLE=1 is indeed enabled.

In inputs.conf 

[WinEventLog://Security] 
disabled = 0

Also means enabled. Does that help?

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎04-01-2015 01:36 PM

Regardless of what you are doing with the installer though, you can make changes to stanzas in inputs.conf and say disabled=0 (making it enabled) wherever you want, and then restart Splunk for it to take effect.

0 Karma
Reply
Solved! Jump to solution

fletch13
Explorer
‎04-01-2015 12:50 PM

So are you saying in order to collect windows security events i need to have this "WINEVENTLOG_SEC_ENABLE=0" which is false but means enabled?

For what i read on splunk documentation is that in order to collect events it has to equal "1" which is true. So who is right?

(http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/DeployaWindowsdfviathecommandline)
--------------------- Splunk Documentation snippet ----------------------------
"Install the universal forwarder, enable indexing of the Windows security and system event logs, and run the installer in silent mode
You might do this to collect just the Security and System event logs through a "fire-and-forget" installation.

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet"
-------------------------------------------------------------------------------------------- end of splunk doc --------------------

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top