Getting Data In
Highlighted

Cannot receive WinEventLog via inputs.conf

Explorer

My current setup:

  • Splunk Indexer (Deployment Server)
  • Domain Controller (Windows Server 2008) - UF installed as Deployment Client

I wanted to use Windows App Infrastructure to read the logs, so I followed this documentation https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/ConfiguretheSplunkAppforWindowsInfrastruct...

I have installed all add-ons required on both Splunk Indexer and Domain Controller. The networking and firewall rules are all fine because I can receive "Active Directory" logs in the Indexer.

However, I cannot get any WinEventLog(Security, Application, System) eventhough I have enabled the monitoring in inputs.conf (\etc\deployment-apps\SplunkTAwindows\local\inputs.conf)
This is how my inputs.conf looks like:

OS Logs

[WinEventLog://Application]
disabled = 0
startfrom = oldest
current
only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

[WinEventLog://Security]
disabled = 0
startfrom = oldest
current
only = 1
evtresolvead_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\sgroupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s
groupPolicyContainer)"
index = wineventlog
renderXml=false

[WinEventLog://System]
disabled = 0
startfrom = oldest
current
only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

Can anyone tell me the reason why I cannot get those logs to Indexer?
Thanks

0 Karma
Highlighted

Re: Cannot receive WinEventLog via inputs.conf

Legend

Hi johant,
there are some checks to perform on your systema to find the problem:

  • are wineventlogs enabled on your Domain Controller?
  • did you checked if Domain Controller and Indexer have the same time?
  • check using ./splunk cmd btool inputs list --debug > inputs.txt if there are other wineventlogs configurations where WinEventLog://Security is disabled

Bye.
Giuseppe

View solution in original post

Highlighted

Re: Cannot receive WinEventLog via inputs.conf

Explorer

Hi Giuseppe,

  • Can you tell me how to check that? I can see the event on the windows 'Event Viewer' so I assume it should be enabled?
  • Yes, both of them have the same system time.
  • I ran this command and I cannot see WinEventLog://Security ,Application, System listed on the inputs.txt. How do I make sure that those WinEventLog are listed in there?

Thanks

0 Karma
Highlighted

Re: Cannot receive WinEventLog via inputs.conf

Legend

sorry but maybe I was misunderstood: this command must be run on the forwarder not on indexer:

splunk cmd btool inputs list --debug > inputs.txt

Bye.
Giuseppe

0 Karma
Highlighted

Re: Cannot receive WinEventLog via inputs.conf

Explorer

Yes, I ran that on the forwarder and I still cannot find WinEventLog://Security.
It is all right now, I re-installed the forwarder in the windows machine and when i run those command I can see all inputs that I wanted.

0 Karma
Highlighted

Re: Cannot receive WinEventLog via inputs.conf

Legend

Just an additional bit: at installation, Splunk Forwarder on Windows usually configures Wineventlog ingestion.
To avoid problems like the ones you have, I usually disable this ingestion and I install SplunkTAWindows, configured on my project needs, always using a Deployment Server.

Bye.
Giuseppe

0 Karma
Highlighted

Re: Cannot receive WinEventLog via inputs.conf

Motivator

Did you choose restart your forwarder option after deployment when configuring server class on your deployment server? If you make any change to your input stanzas, you need to restart your splunk forwarder. Choose the option to restart the forwarder and again push your bundle.

0 Karma
Highlighted

Re: Cannot receive WinEventLog via inputs.conf

Explorer

Hi Hardik,

No i did not enabled that option, however I manually restart the UF and I stil cannot get the logs to my indexer.
Is it a best practice to automatically restart the forwarder everytime I make a deployment?

Thanks

0 Karma
Highlighted

Re: Cannot receive WinEventLog via inputs.conf

Motivator

It will depend on type of applications that you are pushing to forwarder. But to be on safer side you can keep this option selected.

0 Karma
Highlighted

Re: Cannot receive WinEventLog via inputs.conf

Explorer

How did you enable these logs. I'm failed to change disabled=0 for System and Applications. Even though I'm trying to perform it post stopping Splunkd but still receiving an error that file is opened somewhere.

0 Karma