Archive
Highlighted

Forward additional Windows logs

New Member

I am trying to get additional logs sent to Splunk Cloud from a Windows domain controller. I modified my inputs.conf file to add the additional logs but do not see them in the wineventlog index. Am I missing something. Here is the inputs.conf contents.

[default]
host = DC1

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[WinEventLog://DNS Server]
disabled = 0
[WinEventLog://Directory Service]
disabled = 0
[WinEventLog://File Replication Service]
disabled = 0

Tags (1)
0 Karma
Highlighted

Re: Forward additional Windows logs

SplunkTrust
SplunkTrust

Do you see any logs from this host? If you search index=* host=XYZ over the past 24 hours (or some other reasonable time frame) what do you get?

Also, try adding index = wineventlog into each of those stanzas to force them (hopefully) to the right index.

0 Karma
Highlighted

Re: Forward additional Windows logs

New Member

I do see the the Directory Service log in the default index. I changed the inputs.conf file to read as below. We will see what that does.

[default]
host = OKDC1

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
index = wineventlog
disabled = 0

[WinEventLog://Application]
index = wineventlog
disabled = 0

[WinEventLog://Security]
index = wineventlog
disabled = 0

[WinEventLog://System]
index = wineventlog
disabled = 0

[WinEventLog://DNS Server]
index = wineventlog
disabled = 0
index = wineventlog

[WinEventLog://Directory Service]
index = wineventlog
disabled = 0

[WinEventLog://File Replication Service]
index = wineventlog
disabled = 0

0 Karma
Highlighted

Re: Forward additional Windows logs

New Member

I am now seeing the info for the Directory Service in the wineventlog.

0 Karma
Highlighted

Re: Forward additional Windows logs

New Member

I do see the security, system and application logs. Not the others that I have in the inputs.conf file. Prior to the addition to the input.conf I saw those logs with the following config.

[default]
host = DC1

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

I just added the individual log entries.

0 Karma
Highlighted

Re: Forward additional Windows logs

SplunkTrust
SplunkTrust

Did you bump the service after modifying inputs.conf?

0 Karma
Highlighted

Re: Forward additional Windows logs

New Member

Yes. I restarted the Splunk service.

0 Karma
Highlighted

Re: Forward additional Windows logs

New Member

Anyone have any other ideas?

0 Karma
Highlighted

Re: Forward additional Windows logs

SplunkTrust
SplunkTrust
0 Karma