Getting Data In

Forwarder add Windows Event log command line

kceleslie
Engager

Is it possible to add to the splunk forwarder via the command line items from Windows Event viewer? I know we can update inputs.conf but is it possible via the command line?

If it is possible, shouldn't monitored event log items show up when you list monitored items?

splunk list monitor

Doesn't display event log items. Thanks

Tags (3)
0 Karma

bbiandov
Path Finder

edit C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf and add:

[WinEventLog://Application]
disabled = 0 
[WinEventLog://Security]
disabled = 0 
[WinEventLog://System]
disabled = 0 
[WinEventLog://DNS Server]
disabled = 0

Then restart the windows service for the universal forwarder to re-read the changes.

0 Karma

splunker12er
Motivator
Monitored Event Log Collections:
        localhost
                disabled:1
                hosts:localhost
                index:default
                logs:
                        Application
                        ForwardedEvents
                        HardwareEvents
                        Internet Explorer
                        Security
                        Setup
                        System

Just got the above as the result of

C:\Program Files\SplunkUniversalForwarder\bin>splunk list eventlog

how to enable the log monitor ?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You should be able to make a REST call against yourself from the CLI using this endpoint: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#POST_data.2Finputs.2Fwin-event-...

0 Karma

kceleslie
Engager

Thanks!
Just found this, looks like it is not possible with the CLI
http://answers.splunk.com/answers/9389/configuring-a-light-forwarder-to-monitor-the-windows-event-lo...

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Give this a try for listing:

splunk list eventlog

martin_mueller
SplunkTrust
SplunkTrust

Those don't show up in splunk list monitor because a Windows event log entry looks like this:

[WinEventLog://<name>]

rather than this:

[monitor://<path>]

Hence they're not monitor type stanzas.