Getting Data In

Applications and Services Logs

marcmoennikes
Engager

Hello,

i want to collect events in the Windows 2008 (r2) event logs -> "Application and Services Logs" -> "microsoft" -> "Windows".
When i use the "add data" -> "windows event logs" in the splunk gui, i only see Eventlogs in the first hierarchie, like "system", "application", "powershell", "security" and so on.
Is there any additional configuration needed to collect the events, which are shown under "Application and Services Logs"?
Do i need snare or a forwarder?

Thank you
Regards

Marc

1 Solution

ftk
Motivator

If you install Splunk on Windows 2008 and run it as an account with the appropriate privileges (e.g. Local System), you should be able to see all available event logs -- I know I can on my 2008 installs.

You can also add monitors for these logs manually in inputs.conf. For Event viewer/Applications and Services/Microsoft/Windows/UAC/Operational for example you can add

[WinEventLog:Microsoft-Windows-UAC/Operational]
disabled = 0

View solution in original post

ftk
Motivator

If you install Splunk on Windows 2008 and run it as an account with the appropriate privileges (e.g. Local System), you should be able to see all available event logs -- I know I can on my 2008 installs.

You can also add monitors for these logs manually in inputs.conf. For Event viewer/Applications and Services/Microsoft/Windows/UAC/Operational for example you can add

[WinEventLog:Microsoft-Windows-UAC/Operational]
disabled = 0

sadkha
Path Finder

Hi FTK,

I'm trying to collect data from an EDM server, which is directly under Applications and Services Logs. The log path is:

%SystemRoot%\System32\Winevt\Logs\EDM Server.evtx

I've tried variations of [WinEventLog:Logs\EDM Server] and [WinEventLog:Applications and Services Logs\EDM Server] but it doesn't seem to work. any idea?

0 Karma

piebob
Splunk Employee
Splunk Employee

ftk is the best!

0 Karma

piebob
Splunk Employee
Splunk Employee

you can monitor non-default Windows event logs by adding them to a local copy of your inputs.conf file:
http://www.splunk.com/base/Documentation/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_configure...

you apparently have to import these eventlogs to the Windows Event Viewer beforehand, and then you can add a stanza for the specific event log.
i don't believe it's possible to add these non-default event logs via Splunk Web.

AaronMoorcroft
Communicator

I managed it with this -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0

marcmoennikes
Engager

Hello,

thanks for your reply. I want to add events from logs which resides "deeper" in the event log structure in windows 2008R2.
When i open the vent viewer i have a folder "Application and Services Logs". Under this folder "microsoft" , "microsoft" and then the specific logs for different windows server roles like remote desktop connection broker, print service and so on.

Regards

Marc

0 Karma

piebob
Splunk Employee
Splunk Employee

i'm not sure i understand the question--are you saying you have added the system/application/security/etc event logs as inputs and you do not see the events from them? are you trying to collect these events from a remote host?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...