Getting Data In

Forwarding windows event viewer logs to Splunk

kkossery
Communicator

I have installed Splunk on a Linux box and is listening for incoming on 9997. Our linux boxes send its syslog to it and work fine.
The Windows boxes however do not send any event viewer logs. I installed SplunkForwarder on it and followed the prompts where I entered the Receiver server and port 9997. Also restarted the splunk service just in case.
What additional configurations are to be done to ensure Event Viewer logs/AD monitoring start to populate my Splunk sitting on the Linux box.
I'm able to telnet to 9997 from Windows to Linux so it is not an access issue.

Tags (2)
0 Karma
1 Solution

dglinder
Path Finder

When you installed the Splunk Universal Forwarder on the Windows system, did you check the appropriate check-boxes on the "Enable Windows Inputs" page near the end of the install?

If not, you'll need to enable them on the Windows systems "inputs.conf" file - link:see this page for details

TL;DR notes:
Edit the inputs.conf on the Windows system (usually C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf) and add these lines:

[WinEventLog://Application]

disabled = 0

[WinEventLog://Security]

disabled = 0

[WinEventLog://System]

disabled = 0

You'll need to restart the SplunkUniversalForwarder service on the Windows system. Your Splunk index should start receiving these events.

View solution in original post

patel1515
Loves-to-Learn Lots

Hey, I am wondoring How Can I send Log files from linux to windows? I downloaded splunk in windows and forwarder in linux. I can telnet 9997 from linux to windows but I don't know how to send a files. can anybody help me with it?

0 Karma

dglinder
Path Finder

When you installed the Splunk Universal Forwarder on the Windows system, did you check the appropriate check-boxes on the "Enable Windows Inputs" page near the end of the install?

If not, you'll need to enable them on the Windows systems "inputs.conf" file - link:see this page for details

TL;DR notes:
Edit the inputs.conf on the Windows system (usually C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf) and add these lines:

[WinEventLog://Application]

disabled = 0

[WinEventLog://Security]

disabled = 0

[WinEventLog://System]

disabled = 0

You'll need to restart the SplunkUniversalForwarder service on the Windows system. Your Splunk index should start receiving these events.

kkossery
Communicator

Installing on a different Windows box worked with the above settings. Thanks.

0 Karma

koolvasco
Explorer

I am getting the logs by installing splunk universal forwarder on my server and by modifying inputs.conf as shown below

[WinEventLog://Security]
disabled = 0

but can somebody please tell me, that i need only event ids 6276 and 6278 only, not all events?

0 Karma

dglinder
Path Finder

More details than "unable to install" would help.

0 Karma

kkossery
Communicator

i have tried doing this again on another Windows box and I'm unable to install the program that will forward logs to the Splunk box. Can someone help?

0 Karma

kkossery
Communicator

Thank you for these links. However, I see some things are missing here,

Configure remote event log monitoring
1. Click Settings in the upper right-hand corner of Splunk Web.

  1. Under Data, click Data Inputs.

  2. Click Remote event log collections.

  3. Click Add new to add an input.

I do not see Remote event log collections under Data Inputs. Do I need to activate something on my Linux box Splunk to show this.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...