Getting Data In

How to monitor all windows event logs?

snix
Communicator

Is there a setting I can put in the inputs.conf file that would automatically grab all windows event logs? This would include all the logs found not just found under the "Windows Logs" folder but also under the "Applications and Services Logs" folder and all sub folders within it.

Tags (1)
1 Solution

snowmizer
SplunkTrust
SplunkTrust

You can modify the inputs.conf stanza on the Windows server you're monitoring. This link shows some good examples:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_config...

View solution in original post

snowmizer
SplunkTrust
SplunkTrust

You can modify the inputs.conf stanza on the Windows server you're monitoring. This link shows some good examples:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_config...

snix
Communicator

Thanks for the link as there is good information there but as far as I can tell there is no info about just pulling everything instead of specifying individual logs. I guess I should just try and use a wildcard:

[WinEventLog://*]
disabled = 0
index = wineventlog

Would like to know if it would work before I try it but if no one answers soon I will give it a shot and post my results here.

0 Karma

snowmizer
SplunkTrust
SplunkTrust

I'm in the process of testing this myself. I'll let you know what I find out.

0 Karma

snowmizer
SplunkTrust
SplunkTrust

Testing the config above does not work. I also looked at this doc and didn't see anything that said you could use a wildcard. It looks like you have to specify each log individually.

http://docs.splunk.com/Documentation/Splunk/6.3.0/admin/Inputsconf

0 Karma

snix
Communicator

Yep came to the same conclusion in my testing. In the link provided I see Wildcards are an option in the file monitor path but not in event log monitoring 😞 May need to put in a feature request as adding everything in by hand will take waaaaay to long.

0 Karma

snowmizer
SplunkTrust
SplunkTrust

If you're using deployment server you can set up an app that contains the inputs.conf that you want on your Windows servers and then just push it to all of the servers. That will keep you from needing to touch every server.

0 Karma

snix
Communicator

Yeah I have a deployment server setup but it is requested that I log all event logs on some systems and given there are at least a hundred separate event logs putting them in all by hand even into one inputs.conf file doesn't sound like too much fun 😉

Having a grab all option would be great as it would also add any new even logs add to the system that were added after the initial configuration of the files.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...