- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to pull in Windows Event logs from the Windows PowerShell path. This path includes 800s, which I've seen in event viewer so I know they're generated and stored here. I just can't seem to pull anything and I don't see much help on the internet to pulling this path.
This is my inputs.conf:
[WinEventLog://Windows PowerShell/]
disabled=0
Note: This is different from the other PowerShell path where I get my 4103 and 4104 codes:
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled=0
Any helps is appreciated. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My inputs.conf was incorrect. I had a / at the end of PowerShell. Removed the / and now it is ingesting properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My inputs.conf was incorrect. I had a / at the end of PowerShell. Removed the / and now it is ingesting properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to get a proper path from the Event Log properties.
You seem to have a right one in the second case (Microsoft-Windows-PowerShell/Operational).
But the first one doesn't seem right. Check the properties of this log in Event Viewer and see its Full Name
