Getting Data In

How to monitor all windows event logs?

snix
Communicator

Is there a setting I can put in the inputs.conf file that would automatically grab all windows event logs? This would include all the logs found not just found under the "Windows Logs" folder but also under the "Applications and Services Logs" folder and all sub folders within it.

Tags (1)
1 Solution

snowmizer
Communicator

You can modify the inputs.conf stanza on the Windows server you're monitoring. This link shows some good examples:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_config...

View solution in original post

snowmizer
Communicator

You can modify the inputs.conf stanza on the Windows server you're monitoring. This link shows some good examples:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_config...

snix
Communicator

Thanks for the link as there is good information there but as far as I can tell there is no info about just pulling everything instead of specifying individual logs. I guess I should just try and use a wildcard:

[WinEventLog://*]
disabled = 0
index = wineventlog

Would like to know if it would work before I try it but if no one answers soon I will give it a shot and post my results here.

0 Karma

snowmizer
Communicator

I'm in the process of testing this myself. I'll let you know what I find out.

0 Karma

snowmizer
Communicator

Testing the config above does not work. I also looked at this doc and didn't see anything that said you could use a wildcard. It looks like you have to specify each log individually.

http://docs.splunk.com/Documentation/Splunk/6.3.0/admin/Inputsconf

0 Karma

snix
Communicator

Yep came to the same conclusion in my testing. In the link provided I see Wildcards are an option in the file monitor path but not in event log monitoring 😞 May need to put in a feature request as adding everything in by hand will take waaaaay to long.

0 Karma

snowmizer
Communicator

If you're using deployment server you can set up an app that contains the inputs.conf that you want on your Windows servers and then just push it to all of the servers. That will keep you from needing to touch every server.

0 Karma

snix
Communicator

Yeah I have a deployment server setup but it is requested that I log all event logs on some systems and given there are at least a hundred separate event logs putting them in all by hand even into one inputs.conf file doesn't sound like too much fun 😉

Having a grab all option would be great as it would also add any new even logs add to the system that were added after the initial configuration of the files.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...