All Apps and Add-ons

Splunk Splunk Add-on for Microsoft Windows: Why does the universal forwarder local inputs.conf show [WinEventLog://Security] as disabled?

Explorer

I'm working on getting the Universal Forwarder install switches set so we can deploy this with SCCM on Windows servers (2012,2008, etc). Below is my CLI I'm using and running as Admin on the device:

c:\temp\splunkforwarder-6.2.2-255606-x64-release.msi RECEIVING_INDEXER="x.x.x.x:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=0 WINEVENTLOG_APP_ENABLE=0 AGREETOLICENSE=Yes /quiet /norestart /lv "c:\temp\splunkinstall.txt"

Issue is the splunk_TA_windows local inputs.conf (below) shows that security is disabled even though in the install i have it equal "1" & others equaling "0". If I'm correct, "0" means disabled and "1" means enabled. Plus, i'm not getting Security event, but i am getting other events (apps, sys) into splunk. Am I doing something wrong?

Inputs.conf -- file

[WinEventLog://Application]
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
0 Karma
1 Solution

Influencer

Issue is the splunk_TA_windows local
inputs.conf (below) shows that
security is disabled even though in
the install i have it equal "1" &
others equaling "0". If im correct "0"
means disabled and "1" means enabled.
0 is equivalent to "False" and 1 is equivalent to "True", so a setting of disabled = 0 (false) means enabled in inputs.conf. This example is enabled:

 [WinEventLog://Security]
 disabled = 0

Regardless of what the installer does, you can go in after the fact, make changes to stanzas in inputs.conf and say disabled=0 (i.e. make it enabled) wherever you want, and then restart Splunk for it to take effect.

View solution in original post

0 Karma

Influencer

Issue is the splunk_TA_windows local
inputs.conf (below) shows that
security is disabled even though in
the install i have it equal "1" &
others equaling "0". If im correct "0"
means disabled and "1" means enabled.
0 is equivalent to "False" and 1 is equivalent to "True", so a setting of disabled = 0 (false) means enabled in inputs.conf. This example is enabled:

 [WinEventLog://Security]
 disabled = 0

Regardless of what the installer does, you can go in after the fact, make changes to stanzas in inputs.conf and say disabled=0 (i.e. make it enabled) wherever you want, and then restart Splunk for it to take effect.

View solution in original post

0 Karma

Explorer

If the installer switch was "WINEVENTLOG_SEC_DISABLE=X" instead of "WINEVENTLOG_SEC_ENABLE=" which would
match the inputs.conf file things would have made more sense. For me at least but im new and still learner the Splunk way.
Either way i got it and i understand. Thanks.

0 Karma

Explorer

I think i understand the logic by putting "WINEVENTLOG_SEC_ENABLE=1" makes the "disable =0" (which means false , "do collect") in the inputs.conf file which actually means enable. I guess i could assume if there isn't an "disable=x" then it will use the default inputs.conf file setting which is "disable = 1" (which means true, "don't collect")

Is this the Splunk way of thinking?

0 Karma

Influencer

So, you are talking about two different things here, but the meaning of 1=True and 0=False does not change.

Running the installer, WINEVENTLOG_SEC_ENABLE=1 is indeed enabled.

In inputs.conf

[WinEventLog://Security] 
disabled = 0 

Also means enabled. Does that help?

0 Karma

Influencer

Regardless of what you are doing with the installer though, you can make changes to stanzas in inputs.conf and say disabled=0 (making it enabled) wherever you want, and then restart Splunk for it to take effect.

0 Karma

Explorer

So are you saying in order to collect windows security events i need to have this "WINEVENTLOG_SEC_ENABLE=0" which is false but means enabled?

For what i read on splunk documentation is that in order to collect events it has to equal "1" which is true. So who is right?

(http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/DeployaWindowsdfviathecommandline)
--------------------- Splunk Documentation snippet ----------------------------
"Install the universal forwarder, enable indexing of the Windows security and system event logs, and run the installer in silent mode
You might do this to collect just the Security and System event logs through a "fire-and-forget" installation.

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet"
-------------------------------------------------------------------------------------------- end of splunk doc --------------------

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!