Getting Data In

Index historical Windows eventlogs after running splunk light forwarder for a week

anantshah
Path Finder

Hello,

We installed Splunk Light forwarder about a week ago to collect windows event logs. We have been receiving the logs as expected from the date the forwarder was installed. Is there a way to go back and index all eventlog data?

Thanks.

0 Karma
1 Solution

jrodman
Splunk Employee
Splunk Employee

The windows app defaults to current_only=0 for the WinEventLog:Security input stanza. This means that it is probably trying to get all the event log events available via the eventlog api on the system. It's possible that via some configuration method you caused current_only=1 for this stanza, which would mean that we would try to start with the time of first install, and only get data after that time. You may want to review this in manager, or in the configuration files.

Alternatively, it's possible that the background records you're interested in are simply not available via the wineventlog api. Windows keeps only so many 'available' in the 'current set', and then pushes them out, either to disk or to nowhere, depending upon configuration.

If you have .evt .evtx archives of these historical events, you can tell splunk to index these files with monitor:// stanzas. These files are fairly sensitive to the installation environment in which they were produced, so it is usually best to index them on the node where they were produced.

View solution in original post

0 Karma

jrodman
Splunk Employee
Splunk Employee

The windows app defaults to current_only=0 for the WinEventLog:Security input stanza. This means that it is probably trying to get all the event log events available via the eventlog api on the system. It's possible that via some configuration method you caused current_only=1 for this stanza, which would mean that we would try to start with the time of first install, and only get data after that time. You may want to review this in manager, or in the configuration files.

Alternatively, it's possible that the background records you're interested in are simply not available via the wineventlog api. Windows keeps only so many 'available' in the 'current set', and then pushes them out, either to disk or to nowhere, depending upon configuration.

If you have .evt .evtx archives of these historical events, you can tell splunk to index these files with monitor:// stanzas. These files are fairly sensitive to the installation environment in which they were produced, so it is usually best to index them on the node where they were produced.

0 Karma

jrodman
Splunk Employee
Splunk Employee

It should try to get all the ones in the main evenlog listing by default. You might want to review the splunkd.log (or in the _internal index) for errors about the wineventlog processor. There is a token in var/lib/splunk/persistentstorage storing a bookmark of where we are in the eventlog stream. Wiping that when splunk is down will cause us to start over. You could use manager or btool to review whether current_only is set to true/1 for your inputs.

0 Karma

anantshah
Path Finder

I am trying to get the Application Event Logs. I see the data is still present in the Eventlog. Is there a way to force splunk to read all entries in the Application Eventlog?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...