Getting Data In

Forwarding windows event viewer logs to Splunk

kkossery
Communicator

I have installed Splunk on a Linux box and is listening for incoming on 9997. Our linux boxes send its syslog to it and work fine.
The Windows boxes however do not send any event viewer logs. I installed SplunkForwarder on it and followed the prompts where I entered the Receiver server and port 9997. Also restarted the splunk service just in case.
What additional configurations are to be done to ensure Event Viewer logs/AD monitoring start to populate my Splunk sitting on the Linux box.
I'm able to telnet to 9997 from Windows to Linux so it is not an access issue.

Tags (2)
0 Karma
1 Solution

dglinder
Path Finder

When you installed the Splunk Universal Forwarder on the Windows system, did you check the appropriate check-boxes on the "Enable Windows Inputs" page near the end of the install?

If not, you'll need to enable them on the Windows systems "inputs.conf" file - link:see this page for details

TL;DR notes:
Edit the inputs.conf on the Windows system (usually C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf) and add these lines:

[WinEventLog://Application]

disabled = 0

[WinEventLog://Security]

disabled = 0

[WinEventLog://System]

disabled = 0

You'll need to restart the SplunkUniversalForwarder service on the Windows system. Your Splunk index should start receiving these events.

View solution in original post

patel1515
Loves-to-Learn Lots

Hey, I am wondoring How Can I send Log files from linux to windows? I downloaded splunk in windows and forwarder in linux. I can telnet 9997 from linux to windows but I don't know how to send a files. can anybody help me with it?

0 Karma

dglinder
Path Finder

When you installed the Splunk Universal Forwarder on the Windows system, did you check the appropriate check-boxes on the "Enable Windows Inputs" page near the end of the install?

If not, you'll need to enable them on the Windows systems "inputs.conf" file - link:see this page for details

TL;DR notes:
Edit the inputs.conf on the Windows system (usually C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf) and add these lines:

[WinEventLog://Application]

disabled = 0

[WinEventLog://Security]

disabled = 0

[WinEventLog://System]

disabled = 0

You'll need to restart the SplunkUniversalForwarder service on the Windows system. Your Splunk index should start receiving these events.

kkossery
Communicator

Installing on a different Windows box worked with the above settings. Thanks.

0 Karma

koolvasco
Explorer

I am getting the logs by installing splunk universal forwarder on my server and by modifying inputs.conf as shown below

[WinEventLog://Security]
disabled = 0

but can somebody please tell me, that i need only event ids 6276 and 6278 only, not all events?

0 Karma

dglinder
Path Finder

More details than "unable to install" would help.

0 Karma

kkossery
Communicator

i have tried doing this again on another Windows box and I'm unable to install the program that will forward logs to the Splunk box. Can someone help?

0 Karma

kkossery
Communicator

Thank you for these links. However, I see some things are missing here,

Configure remote event log monitoring
1. Click Settings in the upper right-hand corner of Splunk Web.

  1. Under Data, click Data Inputs.

  2. Click Remote event log collections.

  3. Click Add new to add an input.

I do not see Remote event log collections under Data Inputs. Do I need to activate something on my Linux box Splunk to show this.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...