Archive

Reading WindowsEvent logs from UNC path

Explorer

Hi,

I have some issues with setting up Splunk to read a WindwsEvent file stored on a network share. It seems like the setup is fine, but no files shows up in Splunk and nothing is indexed.

From the exact same destination I'm able to read windows update logs without any problems, so it shouldn't be any problems with the credentials. All files have the same permissions.

Since this is my first tme setting up Splunk I hope i have made some simple misstake which is easily fixed.

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

Explorer

It turned out I was restricted by a very exotic Group Policy Setting. When that was corrected, everything works fine.

Thanks for all the answers and quick help!

0 Karma

Motivator

Adding to the above the splunk which has access to the unc path need to be installed on Windows Vista, 7 or Server 2008/2008 R2 to read .evtx

0 Karma

Motivator

Explorer

All access to the server is firewalled except for the network share where the logs are put as evtx files. I'm not allowed to connect directly to the originator. The files on the share are file dumps from the event log.

Splunk Employee
Splunk Employee

What access path is restricted?

0 Karma

Explorer

Unfortunately that access path is restricted, I have only the UNC path to work with 😞

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!