Getting Data In

Index historical Windows eventlogs after running splunk light forwarder for a week

Path Finder

Hello,

We installed Splunk Light forwarder about a week ago to collect windows event logs. We have been receiving the logs as expected from the date the forwarder was installed. Is there a way to go back and index all eventlog data?

Thanks.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The windows app defaults to current_only=0 for the WinEventLog:Security input stanza. This means that it is probably trying to get all the event log events available via the eventlog api on the system. It's possible that via some configuration method you caused current_only=1 for this stanza, which would mean that we would try to start with the time of first install, and only get data after that time. You may want to review this in manager, or in the configuration files.

Alternatively, it's possible that the background records you're interested in are simply not available via the wineventlog api. Windows keeps only so many 'available' in the 'current set', and then pushes them out, either to disk or to nowhere, depending upon configuration.

If you have .evt .evtx archives of these historical events, you can tell splunk to index these files with monitor:// stanzas. These files are fairly sensitive to the installation environment in which they were produced, so it is usually best to index them on the node where they were produced.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

The windows app defaults to current_only=0 for the WinEventLog:Security input stanza. This means that it is probably trying to get all the event log events available via the eventlog api on the system. It's possible that via some configuration method you caused current_only=1 for this stanza, which would mean that we would try to start with the time of first install, and only get data after that time. You may want to review this in manager, or in the configuration files.

Alternatively, it's possible that the background records you're interested in are simply not available via the wineventlog api. Windows keeps only so many 'available' in the 'current set', and then pushes them out, either to disk or to nowhere, depending upon configuration.

If you have .evt .evtx archives of these historical events, you can tell splunk to index these files with monitor:// stanzas. These files are fairly sensitive to the installation environment in which they were produced, so it is usually best to index them on the node where they were produced.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

It should try to get all the ones in the main evenlog listing by default. You might want to review the splunkd.log (or in the _internal index) for errors about the wineventlog processor. There is a token in var/lib/splunk/persistentstorage storing a bookmark of where we are in the eventlog stream. Wiping that when splunk is down will cause us to start over. You could use manager or btool to review whether current_only is set to true/1 for your inputs.

0 Karma

Path Finder

I am trying to get the Application Event Logs. I see the data is still present in the Eventlog. Is there a way to force splunk to read all entries in the Application Eventlog?

0 Karma