Solved: How to configure directory and file monitoring on ...

ageorgiou · ‎11-22-2015

Hi,

I've got a universal forwarder and I'm trying to monitor C:\Windows\System32\winevt\Logs. I've tried 2 solutions: CLI and Inputs.conf.

CLI: Splunk add monitor C:\Windows\System32\winevt\Logs
inputs.conf:

[monitor://C:\Windows\System32\winevt\Logs]
disabled = 0

Both solutions are not working and I've tried a combination of the two. Am I missing a step? Are there anyways to troubleshoot this so I can get a clear picture of whats happening ( in this case, not happening)?

ageorgiou · ‎11-25-2015

The logs that I was trying to monitor is a Windows Event Log which monitor stanza can't monitor dynamically. To monitor Windows event log you have to use the stanza [WinEventLog]. See this documentation for more details:
http://docs.splunk.com/Documentation/Splunk/6.2.7/Data/MonitorWindowsdata

View solution in original post

ageorgiou · ‎11-25-2015

The logs that I was trying to monitor is a Windows Event Log which monitor stanza can't monitor dynamically. To monitor Windows event log you have to use the stanza [WinEventLog]. See this documentation for more details:
http://docs.splunk.com/Documentation/Splunk/6.2.7/Data/MonitorWindowsdata

ageorgiou · ‎11-23-2015

I tried putting the path in $SPLUNK_HOME/etc/app/ and it worked but it doesn't monitor the logs in real-time and it seems to only get the logs once.

ageorgiou · ‎11-25-2015

The only time the logs are updated is when I restart the forwarder.

NOUMSSI · ‎11-23-2015

Hi,
Try this

Splunk add monitor C:\Windows\System32\winevt\Logs -index indexName

ageorgiou · ‎11-23-2015

This one doesn't seem to be working as well. I've also made sure that the index is created in the Indexer.

How to configure directory and file monitoring on a universal forwarder?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?