Getting Data In
Highlighted

How can I get the remote Windows Logs?

Explorer

Hi All,

Have installed Universal forwarder in my remote windows machine. Actually, have tried configuring ''Remote event Logs'' which was under ''Add Data''.

While configuring this, it's asking for the remote window machine name & while entering it's throwing the below error :

''Unable to get wmi classes from host 'XXYYZZ'. This host may not be reachable or WMI may be misconfigured''

Can anyone help on this to get my remote windows logs?

Thanks,

Ramu.R

Tags (3)
0 Karma
Highlighted

Re: How can I get the remote Windows Logs?

Ultra Champion

If you want to collect the logs through the UF, then you shouldn't use Add Data -> Remote Windows Logs on your Enterprise instance (at least I assume that's where you were trying that?). You need to either configure the inputs locally on the UF, or by using forwarder management from an Enterprise instance (turning that into a Deployment Server for your UFs).

View solution in original post

0 Karma
Highlighted

Re: How can I get the remote Windows Logs?

Explorer

Hi Frank,

Have configured the inputs.conf file on my Universal Forwarder in my remote windows machine & restarted the forwarder, but after that also i m not getting any logs into my splunk enterprise instance. Please find the configuration as below :

[script ://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[monitor ://C :\logs\remoteaccess.log]
sourcetype = remote
access_logs
index = remotelogs

[WinEventLog ://Application]
index=remotelogs

[WinEventLog ://Security]
index=remotelogs

[WinEventLog ://System]
index=remotelogs

0 Karma
Highlighted

Re: How can I get the remote Windows Logs?

Ultra Champion

You need to remove the spaces from those stanzas. Also: have you configured the UF to forward to the Enterprise instance (and are its internal logs indeed coming through)?

0 Karma
Highlighted

Re: How can I get the remote Windows Logs?

Explorer

Yes have configured & i m getting internal logs (Splunk Logs) from my remote windows machine. Anywazz let me try removing space between the stanzas.

0 Karma
Highlighted

Re: How can I get the remote Windows Logs?

Ultra Champion

To clarify what I meant, it should be: [WinEventLog://System] not [WinEventLog ://System]

0 Karma
Highlighted

Re: How can I get the remote Windows Logs?

Explorer

Got it, Thank You.

0 Karma
Highlighted

Re: How can I get the remote Windows Logs?

Explorer

Please let me know the exact search query language to fetch the logs, actually i m using the below one :

index=''remotelogs'' sourcetype=''WinEventLog*'' (no results found for this)

0 Karma
Highlighted

Re: How can I get the remote Windows Logs?

Ultra Champion

You're not setting any sourcetype in inputs.conf. I'm not 100% if maybe some default config fixes that for windows events, but you might want to properly assign it in inputs.conf. Search for just the index=remotelogs to see if the issue is with the sourcetype not being what you expect.

If the sourcetype is fine, you'll need to do some further troubleshooting.

Does that index exist on your enterprise instance?
Any errors/warnings in splunkd.log on the UF?

0 Karma
Highlighted

Re: How can I get the remote Windows Logs?

Explorer

My Final Inputs.Conf File :

[default]
host=XXYYZZ

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled=0

[monitor://C:\Program Files]

[WinEventLog://Application]
index=''_internal''

[WinEventLog://Security]
index=''_internal''

[WinEventLog://System]
index=''_internal''

Tried below query :

Index=_Internal

Got this below message :

Received event for unconfigured/disabled/deleted index=''_internal'' with source="source::WinEventLog:System" host="host::XXYYZZ" sourcetype="sourcetype::WinEventLog:System". So far received events from 2 missing index(es).

Can we create new Index on Splunk Enterprise ??

0 Karma