Getting Data In

## How to configure inputs.conf to get PowerShell and WinRM event logs from Windows hosts?

Contributor

I've been asked to index both Operational.evtx and Analytic.etl from both \Winevt\Logs\Microsoft-Windows-WinRM and \Winevt\Logs\Microsoft-Windows-PowerShell from a few Windows hosts.

I'm not quite sure how to configure the inputs.conf for this. I'm guessing that it's something like:

``````[WinEventLog:PowerShell]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
or

[WinEventLog:WinRM]
..
``````

But again, not really clear. (and not at all Windows literate) And then how do you differentiate between the Operational and Analytic objects.

Thank you

Ultra Champion

The following speaks about it - Forwarding Windows Event Logs to another host

In Step 4, it shows -

``````[WinEventLog://SOURCE-Security]
sourcetype = WinEventLog:Security
host = SOURCE
disabled = false
``````
Contributor
``````[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false

[WinEventLog://Microsoft-Windows-WinRM/Operational]
disabled = false
``````