Getting Data In

Is it possible to transport data from a Windows event log view?

JensT
Communicator

Hi,

In our environment, many applications are logging into the Windows Application Event log.
We would like to transport it separately.

Is it possible to transport data from a Windows Event log View?

-Jens

0 Karma

woodcock
Esteemed Legend

You do not have to use Splunk's built-in WinEventLog facility. You can use the native Windows facilities to write a subset of logs to a directory/file and the use normal Splunk directory/file monitoring to forward them in.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Yes it's possible.
Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Monitorwindowseventlogdata

In principle you would need something like the following in your inputs.conf file:

[WinEventLog://Application]
disabled = 0
start_from = oldest
index = yourindexname

Then simply search from your GUI with:

   index=yourindexname sourcetype=WinEventLog:Application

The default sourcetype for Windows Application Logs is the one I specified above, but you can change this (not recommended as it'll have a major impact on parsing, etc).

0 Karma

JensT
Communicator

Hello,

I do not want all Application Eventlogs. I want only logs from a VIEW.
And no, I do not want to use blacklist/whitelist.

Regards,
Jens

0 Karma

javiergn
SplunkTrust
SplunkTrust

If your view has a unique path you can do it this way:

 [WinEventLog://Path-To-Your-View]
 disabled = 0
 start_from = oldest
 index = yourindexname

For example:

[WinEventLog://Microsoft-Windows-TaskScheduler/Operational]

If that doesn't work for you, do you have any other way to uniquely identify those logs you are planning to collect? Is there a field that is unique for those events? If that's the case, blacklists and whitelists might be the only reasonable way even if you don't want to use them.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...