Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forwarder add Windows Event log command line

kceleslie
Engager
‎04-16-2014 07:31 AM

Is it possible to add to the splunk forwarder via the command line items from Windows Event viewer? I know we can update inputs.conf but is it possible via the command line?

If it is possible, shouldn't monitored event log items show up when you list monitored items?

splunk list monitor

Doesn't display event log items. Thanks

Tags (3)
0 Karma
Reply

bbiandov
Path Finder
‎03-23-2016 08:57 PM

edit C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf and add:

[WinEventLog://Application]
disabled = 0 
[WinEventLog://Security]
disabled = 0 
[WinEventLog://System]
disabled = 0 
[WinEventLog://DNS Server]
disabled = 0

Then restart the windows service for the universal forwarder to re-read the changes.

0 Karma
Reply

splunker12er
Motivator
‎10-01-2014 04:27 AM 
Monitored Event Log Collections:
        localhost
                disabled:1
                hosts:localhost
                index:default
                logs:
                        Application
                        ForwardedEvents
                        HardwareEvents
                        Internet Explorer
                        Security
                        Setup
                        System

Just got the above as the result of

C:\Program Files\SplunkUniversalForwarder\bin>splunk list eventlog

how to enable the log monitor ?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-16-2014 10:29 AM

You should be able to make a REST call against yourself from the CLI using this endpoint: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#POST_data.2Finputs.2Fwin-event-...

0 Karma
Reply

kceleslie
Engager
‎04-16-2014 10:18 AM

Thanks!
Just found this, looks like it is not possible with the CLI
http://answers.splunk.com/answers/9389/configuring-a-light-forwarder-to-monitor-the-windows-event-lo...

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-16-2014 09:49 AM

Give this a try for listing:

splunk list eventlog
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-16-2014 09:47 AM

Those don't show up in splunk list monitor because a Windows event log entry looks like this:

[WinEventLog://<name>]

rather than this:

[monitor://<path>]

Hence they're not monitor type stanzas.

Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top