Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to collect Microsoft Web Application Proxy...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want to collect Microsoft Web Application Proxy logs from a remote host. I tried with WMI, but in the Splunk Web, it doesn't show up from my remote hosts.
I also tried adding to inputs.conf and installing a forwarder on the remote host, but same result. It doesn't show in Splunk Web. Am I missing something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To help narrow down where this is going wrong can you:
1) Try collecting the regular Windows System logs via WMI. Try searching index=* for a recent time period after you know the other system has generated some log entries and see if it shows up in hosts. You can disable this input once you get it working.
2) Repeat the same test only using the UF. You can find an example here. There are probably samples/examples right in some .conf files already on your system, perhaps just commented out. You can disable this after you get it working, or leave it enabled - your choice. If WMI worked but this won't, post your inputs.conf and outputs.conf, as satishsdange suggested.
Really, get those two working first. If you can't, then there's something more broken like permissions on the account are wrong, or maybe the time on the host is off.
3) Once you have the UF forwarding the system event log, we can try the non-default event logs using the it as well. (I have not had luck using WMI to collect non-default logs). Check here for instructions on setting that up. Note particularly you have to use the full name of the operational logs - the link explains that. If it's working - great! If you got #1 and #2 working but not this, then post your inputs.conf and outputs.conf from the UF so we can take a look at them.
Report back with what you find.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To help narrow down where this is going wrong can you:
1) Try collecting the regular Windows System logs via WMI. Try searching index=* for a recent time period after you know the other system has generated some log entries and see if it shows up in hosts. You can disable this input once you get it working.
2) Repeat the same test only using the UF. You can find an example here. There are probably samples/examples right in some .conf files already on your system, perhaps just commented out. You can disable this after you get it working, or leave it enabled - your choice. If WMI worked but this won't, post your inputs.conf and outputs.conf, as satishsdange suggested.
Really, get those two working first. If you can't, then there's something more broken like permissions on the account are wrong, or maybe the time on the host is off.
3) Once you have the UF forwarding the system event log, we can try the non-default event logs using the it as well. (I have not had luck using WMI to collect non-default logs). Check here for instructions on setting that up. Note particularly you have to use the full name of the operational logs - the link explains that. If it's working - great! If you got #1 and #2 working but not this, then post your inputs.conf and outputs.conf from the UF so we can take a look at them.
Report back with what you find.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- System logs using WMI works.
- Only with UF is not working, this is my inputs.conf: [default] host = xxx-web-t1a
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://System]
disabled = 0
and outputs:
Version 6.2.5
DO NOT EDIT THIS FILE!
Changes to default files will be lost on update and are difficult to
manage and support.
Please make any changes to system defaults by overriding them in
apps or $SPLUNK_HOME/etc/system/local
(See "Configuration file precedence" in the web documentation).
To override a specific setting, copy the name of the stanza and
setting to the file where you wish to override it.
[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20
readTimeout = 300
writeTimeout = 300
tcpSendBufSz = 0
ackTimeoutOnShutdown = 30
useACK = false
blockWarnThreshold = 100
sslQuietShutdown = false
[syslog]
type = udp
priority = <13>
dropEventsOnQueueFull = -1
maxEventSize = 1024
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It´s working now, I had only default output.conf...:) So with output.conf in local and with tcp output specified, it´s working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you post your inputs.conf & outputs.conf
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
