Evenid monitoring--> Need to get all the event Id details to splunk used below stanza is and is not getting data n Please help
[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled = 0
whitelist1 = 1,2,3,4
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:Setup
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
whitelist = *
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:Application
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
whitelist1 = *
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:System
Hi @AK_Splunk,
if you don't want to filter your events, don't use whitelist option, even if "whitelist=*".
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:Application
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:System
Ciao.
Giuseppe
@gcusello , Thanks for your prompt reply.
I have another question wrt to eventid monitoring.
I have two event id apps named below with only few configuration changes.
1) Eventid1--> inputs.conf stanza covers monitoring of all event ids and indexing data to index1
2) Eventid2-->input.conf stanza covers monitoring of specific eventid i.e for example 1,2,3,4,5,6 to index2
Rest all configuration wrt to source and sourcetype remains same for both the apps. Once both the apps are pushed in one specific window server According to my understanding both should work and give data specific to respective eventids.
But when I am implementing this either one works and brings data. Please help me out on implementing the same.
Hi @AK_Splunk,
it's always better to create a new post for a new question to have a quicker and maybe a better answer from more people.
Anyway, two questions:
if the same, by default Splunk doesn't index an event twice, if they are different, you have to analize the monitoring stanzas.
If you want to locate events in different indexes, you have to override index value in this way:
On Indexers or (if present) on Heavy Forwarders, insert these:
props.conf
[mysourcetype]
TRANSFORMS-index = overrideindex
transforms.conf
[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = <regex_for_specific_ids>
FORMAT = index2
Ciao.
Giuseppe
Hi @AK_Splunk,
if you don't want to filter your events, don't use whitelist option, even if "whitelist=*".
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:Application
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:System
Ciao.
Giuseppe
Thanks for your reply. Yes I do not want to filter anything. I want all the event IDs with Information, Waring and error to get indexed for Application,Setup and System.
I have removed the whitelist=* from all the three stanzas waiting for events to get generated.
Hi @AK_Splunk,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @gcusello
I have pushed below inputs stanza in one server
[WinEventLog://Application] checkpointInterval = 5 current_only = 0 disabled = 0 index = sag_windows_normal ignoreOlderThan = 7d sourcetype = WinEventLog:Application
But I am getting data in below format . The data and the format both looks incorrect. Please assist me in resolving this issue
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='HHCTRL'/><EventID Qualifiers='0'>1903</EventID><Level>4</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2022-12-08T07:59:58.000000000Z'/><EventRecordID>12345678</EventRecordID><Channel>Application</Channel><Computer>serverfqdnaname</Computer><Security/></System><EventData><Data>http://go.microsoft.com/fwlink?LinkID=45839</Data></EventData></Event>
Hi @AK_Splunk,
as you can read at https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Inputsconf you have to use the option renderXml
renderXml = <boolean>
* Whether or not the input returns the event data in XML (eXtensible Markup
Language) format or in plain text.
* Set this to "true" to render events in XML.
* Set this to "false" to output events in plain text.
* If you set this setting to "true", you should also set the 'suppress_text',
'suppress_sourcename', 'suppress_keywords', 'suppress_task', and
'suppress_opcode' settings to "true" to improve thruput performance.
* Default: false
to have your output in a format different than XML.
Ciao.
Giuseppe
Thanks a lot!
It worked.