Getting Data In

How can I get the remote Windows Logs?

mailmetoramu
Explorer

Hi All,

Have installed Universal forwarder in my remote windows machine. Actually, have tried configuring ''Remote event Logs'' which was under ''Add Data''.

While configuring this, it's asking for the remote window machine name & while entering it's throwing the below error :

''Unable to get wmi classes from host 'XXYYZZ'. This host may not be reachable or WMI may be misconfigured''

Can anyone help on this to get my remote windows logs?

Thanks,

Ramu.R

Tags (3)
0 Karma
1 Solution

FrankVl
Ultra Champion

If you want to collect the logs through the UF, then you shouldn't use Add Data -> Remote Windows Logs on your Enterprise instance (at least I assume that's where you were trying that?). You need to either configure the inputs locally on the UF, or by using forwarder management from an Enterprise instance (turning that into a Deployment Server for your UFs).

View solution in original post

0 Karma

FrankVl
Ultra Champion

If you want to collect the logs through the UF, then you shouldn't use Add Data -> Remote Windows Logs on your Enterprise instance (at least I assume that's where you were trying that?). You need to either configure the inputs locally on the UF, or by using forwarder management from an Enterprise instance (turning that into a Deployment Server for your UFs).

0 Karma

mailmetoramu
Explorer

Hi Frank,

Have configured the inputs.conf file on my Universal Forwarder in my remote windows machine & restarted the forwarder, but after that also i m not getting any logs into my splunk enterprise instance. Please find the configuration as below :

[script ://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[monitor ://C :\logs\remote_access.log]
sourcetype = remote_access_logs
index = remotelogs

[WinEventLog ://Application]
index=remotelogs

[WinEventLog ://Security]
index=remotelogs

[WinEventLog ://System]
index=remotelogs

0 Karma

FrankVl
Ultra Champion

You need to remove the spaces from those stanzas. Also: have you configured the UF to forward to the Enterprise instance (and are its internal logs indeed coming through)?

0 Karma

mailmetoramu
Explorer

Yes have configured & i m getting internal logs (Splunk Logs) from my remote windows machine. Anywazz let me try removing space between the stanzas.

0 Karma

FrankVl
Ultra Champion

To clarify what I meant, it should be: [WinEventLog://System] not [WinEventLog ://System]

0 Karma

mailmetoramu
Explorer

Got it, Thank You.

0 Karma

mailmetoramu
Explorer

Please let me know the exact search query language to fetch the logs, actually i m using the below one :

index=''remotelogs'' sourcetype=''WinEventLog*'' (no results found for this)

0 Karma

FrankVl
Ultra Champion

You're not setting any sourcetype in inputs.conf. I'm not 100% if maybe some default config fixes that for windows events, but you might want to properly assign it in inputs.conf. Search for just the index=remotelogs to see if the issue is with the sourcetype not being what you expect.

If the sourcetype is fine, you'll need to do some further troubleshooting.

Does that index exist on your enterprise instance?
Any errors/warnings in splunkd.log on the UF?

0 Karma

mailmetoramu
Explorer

My Final Inputs.Conf File :

[default]
host=XXYYZZ

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled=0

[monitor://C:\Program Files]

[WinEventLog://Application]
index=''_internal''

[WinEventLog://Security]
index=''_internal''

[WinEventLog://System]
index=''_internal''

Tried below query :

Index=_Internal

Got this below message :

Received event for unconfigured/disabled/deleted index=''_internal'' with source="source::WinEventLog:System" host="host::XXYYZZ" sourcetype="sourcetype::WinEventLog:System". So far received events from 2 missing index(es).

Can we create new Index on Splunk Enterprise ??

0 Karma

FrankVl
Ultra Champion
  1. Such event logs should not be sent into _internal index. That is meant for Splunk Internal logs.
  2. Previously you had it configured to send to remotelogs index, did you get similar errors about index being missing? If so: go to index configuration on your enterprise instance and create the remotelogs index and use that in your inputs.conf.

mailmetoramu
Explorer

Thanks a lot Mr.Frank, got worked , you rock man 🙂

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...