Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a monitoring stanza to monitor the windows Event Viewer logs?

Hemnaath
Motivator
‎04-29-2022 03:13 AM

Hi All, 

We have request from a Cybersecurity team to monitor the Windows Event Viewer logs in Splunk, my question is how to configure the monitoring stanza to get the event data into splunk.

Event Viewer (Local) --->Application and Services Logs --> OpenSSH --> Admin

Event Viewer (Local) --->Application and Services Logs --> OpenSSH --> Operational 

When I check the properties to find the exact Log Path details I could see like this 

%SystemRoot%\System32\Winevt\Logs\OpenSSH%4Operational.evtx

%SystemRoot%\System32\Winevt\Logs\OpenSSH%4Admin.evtx

My question is how to write the monitoring stanza for this path and define the sourcetype for the same.

[WinEventLog://Application/OpenSSH/Operational]

sourcetype=winEventLog:OpenSSH:Operational

index=test

disable=0

[WinEventLog://Applicaion/OpenSSH/Adminl]

sourcetype=winEventLog:OpenSSH:Admin

index=test

disable=0

Please guide me on this 

Labels (3)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-01-2022 01:31 AM

@Hemnaath - Please try below two stanzas.

[WinEventLog://OpenSSH/Operational]
sourcetype=winEventLog:OpenSSH:Operational
index=test
disable=0

[WinEventLog://OpenSSH/Admin]
sourcetype=winEventLog:OpenSSH:Admin
index=test
disable=0

 

Please read the reference here - https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/MonitorWindowseventlogdata 

 

I hope this helps!!! Upvote/karma would be appreciated!!!

0 Karma
Reply

Hemnaath
Motivator
‎05-12-2022 06:14 AM

Hey I had deployed the below stanza to the remote machine to monitor the windows Event View --> OpenSSH But unable to see the data being monitored from the machine.

Monitoring stanza details:

[WinEventLog://OpenSSH/Operational]
index=main
sourcetype=winEventLog
start_from = oldest
current_only = 0
checkpointInterval = 5
disable=0
renderXml=false

[WinEventLog://OpenSSH/Admin]
index=main
sourcetype=winEventLog
current_only = 0
checkpointInterval = 5
disable=0
renderXml=false

I tried to check the Splunk internal logs but unable to get any thing related to this sourcetype.

index="_internal" sourcetype=splunkd* host="XXXXX*"  channel='OpenSSH/Admin'

Can any one guide me how to monitor the Windows Event Viewer

Spoiler
 

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-12-2022 07:16 AM

@Hemnaath - Can you please try to see any error with the below query?

index="_internal" sourcetype=splunkd host="XXXXX*" CASE(ERROR)

 

0 Karma
Reply

Hemnaath
Motivator
‎05-12-2022 08:59 AM

executed the query but there were no error/warn related to the source OpenSSH, could see below error for other channel.

05-12-2022 12:04:31.538 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::saveBookMark: Failed to update Windows Event Log bookmark, channel='System'

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...