Solved: Re: Applications and Services Logs

marcmoennikes · ‎05-23-2011

Hello,

i want to collect events in the Windows 2008 (r2) event logs -> "Application and Services Logs" -> "microsoft" -> "Windows".
When i use the "add data" -> "windows event logs" in the splunk gui, i only see Eventlogs in the first hierarchie, like "system", "application", "powershell", "security" and so on.
Is there any additional configuration needed to collect the events, which are shown under "Application and Services Logs"?
Do i need snare or a forwarder?

Thank you
Regards

Marc

ftk · ‎05-24-2011

If you install Splunk on Windows 2008 and run it as an account with the appropriate privileges (e.g. Local System), you should be able to see all available event logs -- I know I can on my 2008 installs.

You can also add monitors for these logs manually in inputs.conf. For Event viewer/Applications and Services/Microsoft/Windows/UAC/Operational for example you can add

[WinEventLog:Microsoft-Windows-UAC/Operational]
disabled = 0

View solution in original post

ftk · ‎05-24-2011

If you install Splunk on Windows 2008 and run it as an account with the appropriate privileges (e.g. Local System), you should be able to see all available event logs -- I know I can on my 2008 installs.

You can also add monitors for these logs manually in inputs.conf. For Event viewer/Applications and Services/Microsoft/Windows/UAC/Operational for example you can add

[WinEventLog:Microsoft-Windows-UAC/Operational]
disabled = 0

sadkha · ‎09-16-2014

Hi FTK,

I'm trying to collect data from an EDM server, which is directly under Applications and Services Logs. The log path is:

%SystemRoot%\System32\Winevt\Logs\EDM Server.evtx

I've tried variations of [WinEventLog:Logs\EDM Server] and [WinEventLog:Applications and Services Logs\EDM Server] but it doesn't seem to work. any idea?

piebob · ‎05-24-2011

ftk is the best!

piebob · ‎05-23-2011

you can monitor non-default Windows event logs by adding them to a local copy of your inputs.conf file:
http://www.splunk.com/base/Documentation/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_configure...

you apparently have to import these eventlogs to the Windows Event Viewer beforehand, and then you can add a stanza for the specific event log.
i don't believe it's possible to add these non-default event logs via Splunk Web.

AaronMoorcroft · ‎04-09-2014

I managed it with this -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0

marcmoennikes · ‎05-23-2011

Hello,

thanks for your reply. I want to add events from logs which resides "deeper" in the event log structure in windows 2008R2.
When i open the vent viewer i have a folder "Application and Services Logs". Under this folder "microsoft" , "microsoft" and then the specific logs for different windows server roles like remote desktop connection broker, print service and so on.

Regards

Marc

piebob · ‎05-23-2011

i'm not sure i understand the question--are you saying you have added the system/application/security/etc event logs as inputs and you do not see the events from them? are you trying to collect these events from a remote host?

Applications and Services Logs

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!