- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with Windows Print Server admin log
The print server OS is Windows Server 2019
I would like to get PrintService-Admin log to Splunk.
I tried the following in the input.conf of Universal Forwarder in print server.
[WinEventLog://Microsoft-Windows-PrintService/Admin]
disabled = 0
index = winps
Which is found in https://community.splunk.com/t5/Getting-Data-In/Microsoft-Windows-PrintService-Operational-Logs/m-p/...
But I cannot find any events from the index.
The log is enabled in the server, which is under Applications and Services Logs > Microsoft > Windows > PrintService
I also tried to set the data input from web console to monitor the log file in folder: C:\Windows\System32\winevt\Logs
With RegEx:
Microsoft\-Windows\-PrintService.+\.evtx
So i can get
Microsoft-Windows-PrintService%4Admin.evtx
AND
Microsoft-Windows-PrintService%4Operational.evtx
But also, no event is shown for the index.
Hope somebody can help with this.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
1. You can't get events directly from evtx files so don't even bother trying 😉 But seriously - UF uses system calls to query eventlog channels so no direct reading from the files is involved.
2. Are you getting _any_ eventlogs from this UF?
3. What user does your splunkd.exe run with? Did you adjust ACLs on the eventlogs? Did you grant the user with proper privileges?
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)