Getting Data In

Forwarding Saved Windows Events

Explorer

i have a windows splunk forwarder config'd to forward all local Events logs; i have a event log from another server that i imported on this machine and want splunk forwarder to send this log events to splunk server...

is this achievable? if yes, How?

what are some of the best practices to import Windows Events log for a particular Windows Event ID?

thanks Ashish

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

I am unsure, but believe the 'import' function is a data viewing operation?

We will try to read events from an evt or evtx file if you point splunk at it to monitor, but note that there can be problems with moving eventlog data from one system to another, where some values cannot be resolved because of nonpresent operating system or application dlls. This more typically will result in incomplete data (missing fields), more than a failure to read.

In general the windows eventlog api is much higher quality in vista and later revisions of the platform (vista, 7, 2008) than in earlier versions (xp, 2003), so it's preferable to run the eventlog collector on those later versions.

As for collecting a specific eventID, I cannot think of a nice way. You could definitely create props/transforms to discard all but your desired eventID for a given input by regex matching, but this is more than a bit tricky.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

I am unsure, but believe the 'import' function is a data viewing operation?

We will try to read events from an evt or evtx file if you point splunk at it to monitor, but note that there can be problems with moving eventlog data from one system to another, where some values cannot be resolved because of nonpresent operating system or application dlls. This more typically will result in incomplete data (missing fields), more than a failure to read.

In general the windows eventlog api is much higher quality in vista and later revisions of the platform (vista, 7, 2008) than in earlier versions (xp, 2003), so it's preferable to run the eventlog collector on those later versions.

As for collecting a specific eventID, I cannot think of a nice way. You could definitely create props/transforms to discard all but your desired eventID for a given input by regex matching, but this is more than a bit tricky.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

The simple answer is that setting splunk to monitor the specific path should work. If that is not working for you, then I recommend working with splunk support to resolve the problem.

0 Karma

Explorer

splunk monitor is on Windows 7, Event logs are from Win2008 servers. when i try to import these evtx logs, it gives me the following error:

"Your entry was not saved. The following error was reported: SyntaxError: Unexpected token <"

Ashish

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!