Getting Data In

How can I get the remote Windows Logs?

Explorer

Hi All,

Have installed Universal forwarder in my remote windows machine. Actually, have tried configuring ''Remote event Logs'' which was under ''Add Data''.

While configuring this, it's asking for the remote window machine name & while entering it's throwing the below error :

''Unable to get wmi classes from host 'XXYYZZ'. This host may not be reachable or WMI may be misconfigured''

Can anyone help on this to get my remote windows logs?

Thanks,

Ramu.R

Tags (3)
0 Karma
1 Solution

Ultra Champion

If you want to collect the logs through the UF, then you shouldn't use Add Data -> Remote Windows Logs on your Enterprise instance (at least I assume that's where you were trying that?). You need to either configure the inputs locally on the UF, or by using forwarder management from an Enterprise instance (turning that into a Deployment Server for your UFs).

View solution in original post

0 Karma

Ultra Champion

If you want to collect the logs through the UF, then you shouldn't use Add Data -> Remote Windows Logs on your Enterprise instance (at least I assume that's where you were trying that?). You need to either configure the inputs locally on the UF, or by using forwarder management from an Enterprise instance (turning that into a Deployment Server for your UFs).

View solution in original post

0 Karma

Explorer

Hi Frank,

Have configured the inputs.conf file on my Universal Forwarder in my remote windows machine & restarted the forwarder, but after that also i m not getting any logs into my splunk enterprise instance. Please find the configuration as below :

[script ://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[monitor ://C :\logs\remote_access.log]
sourcetype = remote_access_logs
index = remotelogs

[WinEventLog ://Application]
index=remotelogs

[WinEventLog ://Security]
index=remotelogs

[WinEventLog ://System]
index=remotelogs

0 Karma

Ultra Champion

You need to remove the spaces from those stanzas. Also: have you configured the UF to forward to the Enterprise instance (and are its internal logs indeed coming through)?

0 Karma

Explorer

Yes have configured & i m getting internal logs (Splunk Logs) from my remote windows machine. Anywazz let me try removing space between the stanzas.

0 Karma

Ultra Champion

To clarify what I meant, it should be: [WinEventLog://System] not [WinEventLog ://System]

0 Karma

Explorer

Got it, Thank You.

0 Karma

Explorer

Please let me know the exact search query language to fetch the logs, actually i m using the below one :

index=''remotelogs'' sourcetype=''WinEventLog*'' (no results found for this)

0 Karma

Ultra Champion

You're not setting any sourcetype in inputs.conf. I'm not 100% if maybe some default config fixes that for windows events, but you might want to properly assign it in inputs.conf. Search for just the index=remotelogs to see if the issue is with the sourcetype not being what you expect.

If the sourcetype is fine, you'll need to do some further troubleshooting.

Does that index exist on your enterprise instance?
Any errors/warnings in splunkd.log on the UF?

0 Karma

Explorer

My Final Inputs.Conf File :

[default]
host=XXYYZZ

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled=0

[monitor://C:\Program Files]

[WinEventLog://Application]
index=''_internal''

[WinEventLog://Security]
index=''_internal''

[WinEventLog://System]
index=''_internal''

Tried below query :

Index=_Internal

Got this below message :

Received event for unconfigured/disabled/deleted index=''_internal'' with source="source::WinEventLog:System" host="host::XXYYZZ" sourcetype="sourcetype::WinEventLog:System". So far received events from 2 missing index(es).

Can we create new Index on Splunk Enterprise ??

0 Karma

Ultra Champion
  1. Such event logs should not be sent into _internal index. That is meant for Splunk Internal logs.
  2. Previously you had it configured to send to remotelogs index, did you get similar errors about index being missing? If so: go to index configuration on your enterprise instance and create the remotelogs index and use that in your inputs.conf.

Explorer

Thanks a lot Mr.Frank, got worked , you rock man 🙂

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!