Is there a setting I can put in the inputs.conf file that would automatically grab all windows event logs? This would include all the logs found not just found under the "Windows Logs" folder but also under the "Applications and Services Logs" folder and all sub folders within it.
You can modify the inputs.conf stanza on the Windows server you're monitoring. This link shows some good examples:
You can modify the inputs.conf stanza on the Windows server you're monitoring. This link shows some good examples:
Thanks for the link as there is good information there but as far as I can tell there is no info about just pulling everything instead of specifying individual logs. I guess I should just try and use a wildcard:
[WinEventLog://*]
disabled = 0
index = wineventlog
Would like to know if it would work before I try it but if no one answers soon I will give it a shot and post my results here.
I'm in the process of testing this myself. I'll let you know what I find out.
Testing the config above does not work. I also looked at this doc and didn't see anything that said you could use a wildcard. It looks like you have to specify each log individually.
http://docs.splunk.com/Documentation/Splunk/6.3.0/admin/Inputsconf
Yep came to the same conclusion in my testing. In the link provided I see Wildcards are an option in the file monitor path but not in event log monitoring 😞 May need to put in a feature request as adding everything in by hand will take waaaaay to long.
If you're using deployment server you can set up an app that contains the inputs.conf that you want on your Windows servers and then just push it to all of the servers. That will keep you from needing to touch every server.
Yeah I have a deployment server setup but it is requested that I log all event logs on some systems and given there are at least a hundred separate event logs putting them in all by hand even into one inputs.conf file doesn't sound like too much fun 😉
Having a grab all option would be great as it would also add any new even logs add to the system that were added after the initial configuration of the files.