Re: How to configure inputs.conf to get PowerShell...

pkeller · ‎06-29-2016

I've been asked to index both Operational.evtx and Analytic.etl from both \Winevt\Logs\Microsoft-Windows-WinRM and \Winevt\Logs\Microsoft-Windows-PowerShell from a few Windows hosts.

I'm not quite sure how to configure the inputs.conf for this. I'm guessing that it's something like:

[WinEventLog:PowerShell]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=false
or

[WinEventLog:WinRM]
..

But again, not really clear. (and not at all Windows literate) And then how do you differentiate between the Operational and Analytic objects.

Thank you

ddrillic · ‎07-10-2016

The following speaks about it - Forwarding Windows Event Logs to another host

In Step 4, it shows -

[WinEventLog://SOURCE-Security]
sourcetype = WinEventLog:Security
host = SOURCE
disabled = false

spayneort · ‎07-08-2016

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false

[WinEventLog://Microsoft-Windows-WinRM/Operational]
disabled = false

How to configure inputs.conf to get PowerShell and WinRM event logs from Windows hosts?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation