Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a monitoring stanza to monitor the windows Event Viewer logs?

Hemnaath
Motivator
‎04-29-2022 03:13 AM

Hi All, 

We have request from a Cybersecurity team to monitor the Windows Event Viewer logs in Splunk, my question is how to configure the monitoring stanza to get the event data into splunk.

Event Viewer (Local) --->Application and Services Logs --> OpenSSH --> Admin

Event Viewer (Local) --->Application and Services Logs --> OpenSSH --> Operational 

When I check the properties to find the exact Log Path details I could see like this 

%SystemRoot%\System32\Winevt\Logs\OpenSSH%4Operational.evtx

%SystemRoot%\System32\Winevt\Logs\OpenSSH%4Admin.evtx

My question is how to write the monitoring stanza for this path and define the sourcetype for the same.

[WinEventLog://Application/OpenSSH/Operational]

sourcetype=winEventLog:OpenSSH:Operational

index=test

disable=0

[WinEventLog://Applicaion/OpenSSH/Adminl]

sourcetype=winEventLog:OpenSSH:Admin

index=test

disable=0

Please guide me on this 

Labels (3)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-01-2022 01:31 AM

@Hemnaath - Please try below two stanzas.

[WinEventLog://OpenSSH/Operational]
sourcetype=winEventLog:OpenSSH:Operational
index=test
disable=0

[WinEventLog://OpenSSH/Admin]
sourcetype=winEventLog:OpenSSH:Admin
index=test
disable=0

 

Please read the reference here - https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/MonitorWindowseventlogdata 

 

I hope this helps!!! Upvote/karma would be appreciated!!!

0 Karma
Reply

Hemnaath
Motivator
‎05-12-2022 06:14 AM

Hey I had deployed the below stanza to the remote machine to monitor the windows Event View --> OpenSSH But unable to see the data being monitored from the machine.

Monitoring stanza details:

[WinEventLog://OpenSSH/Operational]
index=main
sourcetype=winEventLog
start_from = oldest
current_only = 0
checkpointInterval = 5
disable=0
renderXml=false

[WinEventLog://OpenSSH/Admin]
index=main
sourcetype=winEventLog
current_only = 0
checkpointInterval = 5
disable=0
renderXml=false

I tried to check the Splunk internal logs but unable to get any thing related to this sourcetype.

index="_internal" sourcetype=splunkd* host="XXXXX*"  channel='OpenSSH/Admin'

Can any one guide me how to monitor the Windows Event Viewer

Spoiler
 

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-12-2022 07:16 AM

@Hemnaath - Can you please try to see any error with the below query?

index="_internal" sourcetype=splunkd host="XXXXX*" CASE(ERROR)

 

0 Karma
Reply

Hemnaath
Motivator
‎05-12-2022 08:59 AM

executed the query but there were no error/warn related to the source OpenSSH, could see below error for other channel.

05-12-2022 12:04:31.538 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::saveBookMark: Failed to update Windows Event Log bookmark, channel='System'

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...