Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows EventLog details - Exchange Management Log

pcjunkie
Explorer
‎11-29-2012 10:28 AM

In Server 2008 and above the Windows Event Log has a general tab and a details tab.
Splunk is great at polling and indexing the general tab but the Details tab, whether the Friendly view or the XML view also has data that is critical to troubleshooting.

My case in point:
Exchange 2010 event log WinEventLog:MSExchange Management is being polled and indexed. An event looks like this:

20121128102958.000000
Category=1
CategoryString=General
EventCode=6
EventIdentifier=-1073741818
EventType=1
Logfile=MSExchange Management
RecordNumber=428075
SourceName=MSExchange CmdletLogs
TimeGenerated=20121128162958.000000-000
TimeWritten=20121128162958.000000-000
Type=Error
User=NULL
ComputerName=EXCHANGESERVER.DOMAIN.COM
wmi_type=WinEventLog:MSExchange Management
Message=Cmdlet failed. Cmdlet Add-DistributionGroupMember, parameters {Identity="GUID=big-long-serial-number", Member="distinguishedName of user", Confirm=False}.

The error message that the Cmdlet failed is not specific enough.
In the details tab this same event may have many different reasons. Here are two:

Microsoft.Exchange.Management.Tasks.MemberAlreadyExistsException: The recipient "distinguishedName of user" is already a member of the group "distinguishedName of distribution group".

Microsoft.Exchange.Data.Directory.ADScopeException: "distinguishedName of distribution group" isn't within your current write scopes. Can't perform save operation.

Similar event, two different reasons. One reason requires attention, the other can be ignored.

So my question is how can Splunk index this detail data behind the general event information?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

pcjunkie
Explorer
‎12-05-2012 07:13 AM

So after some asking around it appears that the Splunk event reader engine cannot get the detail I'm looking for.

I will be opening a feature request to see if this can be added to a future release.

View solution in original post

Reply
Solved! Jump to solution

halr9000
Motivator
‎09-09-2013 11:03 AM

As a workaround to the point that @pcjunkie made, you could get the data another way. I would play with the Get-WinEvent cmdlet, and the resulting Properties property. I think that's where the details go, but am not 100% certain.

PS C:\Users\hrottenberg> Get-WinEvent -LogName "Microsoft-Windows-TaskScheduler/Operational" -MaxEvents 1 | fl *


Message              : Task Scheduler shutdown Task Engine
                       "S-1-5-21-1559891614-3024993685-3922480044-1000:LAB-WIN-SVR-1\hrottenberg:Interactive:LUA[1]"
                       process.
Id                   : 318
Version              : 0
Qualifiers           :
Level                : 4
Task                 : 318
Opcode               : 2
Keywords             : -9223372036854775808
RecordId             : 207793
ProviderName         : Microsoft-Windows-TaskScheduler
ProviderId           : de7b24ea-73c8-4a09-985d-5bdadcfa9017
LogName              : Microsoft-Windows-TaskScheduler/Operational
ProcessId            : 880
ThreadId             : 2708
MachineName          : lab-win-svr-1.bd.splunk.com
UserId               : S-1-5-18
TimeCreated          : 9/9/2013 1:49:01 PM
ActivityId           :
RelatedActivityId    :
ContainerLog         : microsoft-windows-taskscheduler/operational
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : Information
OpcodeDisplayName    : Stop
TaskDisplayName      : Task engine properly shut down
KeywordsDisplayNames : {}
Properties           : {System.Diagnostics.Eventing.Reader.EventProperty}



PS C:\Users\hrottenberg> Get-WinEvent -LogName "Microsoft-Windows-TaskScheduler/Operational" -MaxEvents 1 | select -ExpandProperty properties

Value
-----
S-1-5-21-1559891614-3024993685-3922480044-1000:LAB-WIN-SVR-1\hrottenberg:Interactive:LUA[1]
0 Karma
Reply
Solved! Jump to solution

halr9000
Motivator
‎09-09-2013 11:10 AM

And be sure to check out the PowerShell add-on, it lets you paste a PowerShell script into inputs.conf if you want. http://apps.splunk.com/app/1477

0 Karma
Reply
Solved! Jump to solution
Solution

pcjunkie
Explorer
‎12-05-2012 07:13 AM

So after some asking around it appears that the Splunk event reader engine cannot get the detail I'm looking for.

I will be opening a feature request to see if this can be added to a future release.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...