Getting Data In
Highlighted

Applications and Services Logs

Hello,

i want to collect events in the Windows 2008 (r2) event logs -> "Application and Services Logs" -> "microsoft" -> "Windows".
When i use the "add data" -> "windows event logs" in the splunk gui, i only see Eventlogs in the first hierarchie, like "system", "application", "powershell", "security" and so on.
Is there any additional configuration needed to collect the events, which are shown under "Application and Services Logs"?
Do i need snare or a forwarder?

Thank you
Regards

Marc

Highlighted

Re: Applications and Services Logs

Splunk Employee
Splunk Employee

i'm not sure i understand the question--are you saying you have added the system/application/security/etc event logs as inputs and you do not see the events from them? are you trying to collect these events from a remote host?

0 Karma
Highlighted

Re: Applications and Services Logs

Hello,

thanks for your reply. I want to add events from logs which resides "deeper" in the event log structure in windows 2008R2.
When i open the vent viewer i have a folder "Application and Services Logs". Under this folder "microsoft" , "microsoft" and then the specific logs for different windows server roles like remote desktop connection broker, print service and so on.

Regards

Marc

0 Karma
Highlighted

Re: Applications and Services Logs

Splunk Employee
Splunk Employee

you can monitor non-default Windows event logs by adding them to a local copy of your inputs.conf file:
http://www.splunk.com/base/Documentation/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_configure...

you apparently have to import these eventlogs to the Windows Event Viewer beforehand, and then you can add a stanza for the specific event log.
i don't believe it's possible to add these non-default event logs via Splunk Web.

Highlighted

Re: Applications and Services Logs

Communicator

I managed it with this -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
startfrom = oldest
current
only = 0

Highlighted

Re: Applications and Services Logs

Motivator

If you install Splunk on Windows 2008 and run it as an account with the appropriate privileges (e.g. Local System), you should be able to see all available event logs -- I know I can on my 2008 installs.

You can also add monitors for these logs manually in inputs.conf. For Event viewer/Applications and Services/Microsoft/Windows/UAC/Operational for example you can add

[WinEventLog:Microsoft-Windows-UAC/Operational]
disabled = 0

View solution in original post

Highlighted

Re: Applications and Services Logs

Splunk Employee
Splunk Employee

ftk is the best!

0 Karma
Highlighted

Re: Applications and Services Logs

Path Finder

Hi FTK,

I'm trying to collect data from an EDM server, which is directly under Applications and Services Logs. The log path is:

%SystemRoot%\System32\Winevt\Logs\EDM Server.evtx

I've tried variations of [WinEventLog:Logs\EDM Server] and [WinEventLog:Applications and Services Logs\EDM Server] but it doesn't seem to work. any idea?

0 Karma