Getting Data In

After moving Windows Event Logs to a non-default location, what edits to inputs.conf are needed for logs to be forwarded?

aszbikowski
Engager

I'm using the Splunk Universal Forwarders on our Citrix XenApp servers to forward logs to Splunk Enterprise. Besides the default Application, Security, and System logs I've also added AppLocker logs.

What I'm seeing is that the AppLocker logs are working as expected, but the Application, Security, and System logs are not making it to Splunk.

What I think is going on is the AppLocker logs are in the default location (%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx) but because these are Citrix XenApp servers and they PXE boot from Citrix Provisioning Services, any changes to the C: drive do not persist between reboots.

So we've moved the Application, Security, and System logs from the default location on the C: drive to Z:\Event Viewer\ (Z:\Event Viewer\Application.evtx, Z:\Event Viewer\Security.evtx, Z:\Event Viewer\System.evtx). The Z:\ drive is unique for each virtual machine and it's contents persist between reboots.

Would this be the reason my Application, Security, and System logs are not being forwarded to Splunk? Does the inputs.conf file need to be changed in order to get these logs forwarding?

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml = 0
evt_resolve_ad_obj = 1

[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
disabled = 0
renderXml = 0
evt_resolve_ad_obj = 1

Thanks.

scottmwa
Explorer

So you're just monitoring the new file location? Did you disable the old [WinEventLog://Application] stanzas?

0 Karma

aszbikowski
Engager

Ended up with

[monitor://Z:\EventLogs]
disabled = 0

Which seems to work. Seems like there should be a better way.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...