Getting Data In

How to monitor all windows event logs?

Communicator

Is there a setting I can put in the inputs.conf file that would automatically grab all windows event logs? This would include all the logs found not just found under the "Windows Logs" folder but also under the "Applications and Services Logs" folder and all sub folders within it.

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

You can modify the inputs.conf stanza on the Windows server you're monitoring. This link shows some good examples:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_config...

View solution in original post

SplunkTrust
SplunkTrust

You can modify the inputs.conf stanza on the Windows server you're monitoring. This link shows some good examples:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_config...

View solution in original post

Communicator

Thanks for the link as there is good information there but as far as I can tell there is no info about just pulling everything instead of specifying individual logs. I guess I should just try and use a wildcard:

[WinEventLog://*]
disabled = 0
index = wineventlog

Would like to know if it would work before I try it but if no one answers soon I will give it a shot and post my results here.

0 Karma

SplunkTrust
SplunkTrust

I'm in the process of testing this myself. I'll let you know what I find out.

0 Karma

SplunkTrust
SplunkTrust

Testing the config above does not work. I also looked at this doc and didn't see anything that said you could use a wildcard. It looks like you have to specify each log individually.

http://docs.splunk.com/Documentation/Splunk/6.3.0/admin/Inputsconf

0 Karma

Communicator

Yep came to the same conclusion in my testing. In the link provided I see Wildcards are an option in the file monitor path but not in event log monitoring 😞 May need to put in a feature request as adding everything in by hand will take waaaaay to long.

0 Karma

SplunkTrust
SplunkTrust

If you're using deployment server you can set up an app that contains the inputs.conf that you want on your Windows servers and then just push it to all of the servers. That will keep you from needing to touch every server.

0 Karma

Communicator

Yeah I have a deployment server setup but it is requested that I log all event logs on some systems and given there are at least a hundred separate event logs putting them in all by hand even into one inputs.conf file doesn't sound like too much fun 😉

Having a grab all option would be great as it would also add any new even logs add to the system that were added after the initial configuration of the files.

0 Karma