Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to resend the specific event log from Windows Universal Forwarder

kuga_mbsd
New Member
‎07-05-2016 06:54 PM

Hello Splunkers,

We are collecting the Security Event Log from Windows 2012 Server which has Universal Forwarder installed, and I found that some of the logs were not sent to Indexer even though UseAck=true.
Is there a anyway to send only the specific logs to Indexer?

Thanks in advance,

0 Karma
Reply

woodcock
Esteemed Legend
‎07-06-2016 09:24 AM

The UseAck=true should help you prove where the breakdown did/not happen but there is no reason that the forwarding should not normally be reliable. I have some skepticism that "some" events did not make it in, if everything is configured correctly. We need to see your inputs.conf to be sure.

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎07-05-2016 07:09 PM

Hi kuga_mbsd, You could perhaps build a WMI query to get specific eventcodes, reviewing the documentation here might help : http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWMIdata#Examples_of_wmi.conf

My next guess would be a script based oneshot gathering the events together as text (xml probably) and indexing the results.

Please let me know if this answers your question! 😄

0 Karma
Reply

kuga_mbsd
New Member
‎07-05-2016 07:40 PM

Hi muebel,

Thank you for your answers.
Regarding the URL you gave me is pulling the logs on the remote Windows host, is that right?
Unfortunately Indexer doesn't have access to the server since Firewall is blocking.

Do you think if Universal Forwarder will send the only specific logs by executing some commands?

Thank you,

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎07-06-2016 05:47 AM

Yup, you can use powershell to retrieve specific eventlogs described in more detail here : https://technet.microsoft.com/en-us/library/hh849834.aspx

i.e., 

Get-EventLog -LogName "*Security*" -Message "*the message you are looking for*"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...