I am trying to get additional logs sent to Splunk Cloud from a Windows domain controller. I modified my inputs.conf file to add the additional logs but do not see them in the wineventlog index. Am I missing something. Here is the inputs.conf contents.
[default]
host = DC1
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[WinEventLog://DNS Server]
disabled = 0
[WinEventLog://Directory Service]
disabled = 0
[WinEventLog://File Replication Service]
disabled = 0
Please check the permissions on the event logs.
Anyone have any other ideas?
Yes. I restarted the Splunk service.
Did you bump the service after modifying inputs.conf
?
I do see the security, system and application logs. Not the others that I have in the inputs.conf file. Prior to the addition to the input.conf I saw those logs with the following config.
[default]
host = DC1
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
I just added the individual log entries.
Do you see any logs from this host? If you search index=* host=XYZ
over the past 24 hours (or some other reasonable time frame) what do you get?
Also, try adding index = wineventlog
into each of those stanzas to force them (hopefully) to the right index.
I do see the the Directory Service log in the default index. I changed the inputs.conf file to read as below. We will see what that does.
[default]
host = OKDC1
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
index = wineventlog
disabled = 0
[WinEventLog://Application]
index = wineventlog
disabled = 0
[WinEventLog://Security]
index = wineventlog
disabled = 0
[WinEventLog://System]
index = wineventlog
disabled = 0
[WinEventLog://DNS Server]
index = wineventlog
disabled = 0
index = wineventlog
[WinEventLog://Directory Service]
index = wineventlog
disabled = 0
[WinEventLog://File Replication Service]
index = wineventlog
disabled = 0
I am now seeing the info for the Directory Service in the wineventlog.