Getting Data In

Forwarder add Windows Event log command line

Engager

Is it possible to add to the splunk forwarder via the command line items from Windows Event viewer? I know we can update inputs.conf but is it possible via the command line?

If it is possible, shouldn't monitored event log items show up when you list monitored items?

splunk list monitor

Doesn't display event log items. Thanks

Tags (3)
0 Karma

Path Finder

edit C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf and add:

[WinEventLog://Application]
disabled = 0 
[WinEventLog://Security]
disabled = 0 
[WinEventLog://System]
disabled = 0 
[WinEventLog://DNS Server]
disabled = 0

Then restart the windows service for the universal forwarder to re-read the changes.

0 Karma

Motivator
Monitored Event Log Collections:
        localhost
                disabled:1
                hosts:localhost
                index:default
                logs:
                        Application
                        ForwardedEvents
                        HardwareEvents
                        Internet Explorer
                        Security
                        Setup
                        System

Just got the above as the result of

C:\Program Files\SplunkUniversalForwarder\bin>splunk list eventlog

how to enable the log monitor ?

0 Karma

SplunkTrust
SplunkTrust

You should be able to make a REST call against yourself from the CLI using this endpoint: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#POST_data.2Finputs.2Fwin-event-...

0 Karma

Engager

Thanks!
Just found this, looks like it is not possible with the CLI
http://answers.splunk.com/answers/9389/configuring-a-light-forwarder-to-monitor-the-windows-event-lo...

0 Karma

SplunkTrust
SplunkTrust

Give this a try for listing:

splunk list eventlog

SplunkTrust
SplunkTrust

Those don't show up in splunk list monitor because a Windows event log entry looks like this:

[WinEventLog://<name>]

rather than this:

[monitor://<path>]

Hence they're not monitor type stanzas.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!