Getting Data In

How to resend the specific event log from Windows Universal Forwarder

kuga_mbsd
New Member

Hello Splunkers,

We are collecting the Security Event Log from Windows 2012 Server which has Universal Forwarder installed, and I found that some of the logs were not sent to Indexer even though UseAck=true.
Is there a anyway to send only the specific logs to Indexer?

Thanks in advance,

0 Karma

woodcock
Esteemed Legend

The UseAck=true should help you prove where the breakdown did/not happen but there is no reason that the forwarding should not normally be reliable. I have some skepticism that "some" events did not make it in, if everything is configured correctly. We need to see your inputs.conf to be sure.

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi kuga_mbsd, You could perhaps build a WMI query to get specific eventcodes, reviewing the documentation here might help : http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWMIdata#Examples_of_wmi.conf

My next guess would be a script based oneshot gathering the events together as text (xml probably) and indexing the results.

Please let me know if this answers your question! 😄

0 Karma

kuga_mbsd
New Member

Hi muebel,

Thank you for your answers.
Regarding the URL you gave me is pulling the logs on the remote Windows host, is that right?
Unfortunately Indexer doesn't have access to the server since Firewall is blocking.

Do you think if Universal Forwarder will send the only specific logs by executing some commands?

Thank you,

0 Karma

muebel
SplunkTrust
SplunkTrust

Yup, you can use powershell to retrieve specific eventlogs described in more detail here : https://technet.microsoft.com/en-us/library/hh849834.aspx

i.e.,

Get-EventLog -LogName "*Security*" -Message "*the message you are looking for*"
0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...