Getting Data In
Highlighted

Is it possible to transport data from a Windows event log view?

Communicator

Hi,

In our environment, many applications are logging into the Windows Application Event log.
We would like to transport it separately.

Is it possible to transport data from a Windows Event log View?

-Jens

0 Karma
Highlighted

Re: Is it possible to transport data from a Windows event log view?

SplunkTrust
SplunkTrust

Yes it's possible.
Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Monitorwindowseventlogdata

In principle you would need something like the following in your inputs.conf file:

[WinEventLog://Application]
disabled = 0
start_from = oldest
index = yourindexname

Then simply search from your GUI with:

   index=yourindexname sourcetype=WinEventLog:Application

The default sourcetype for Windows Application Logs is the one I specified above, but you can change this (not recommended as it'll have a major impact on parsing, etc).

0 Karma
Highlighted

Re: Is it possible to transport data from a Windows event log view?

Communicator

Hello,

I do not want all Application Eventlogs. I want only logs from a VIEW.
And no, I do not want to use blacklist/whitelist.

Regards,
Jens

0 Karma
Highlighted

Re: Is it possible to transport data from a Windows event log view?

SplunkTrust
SplunkTrust

If your view has a unique path you can do it this way:

 [WinEventLog://Path-To-Your-View]
 disabled = 0
 start_from = oldest
 index = yourindexname

For example:

[WinEventLog://Microsoft-Windows-TaskScheduler/Operational]

If that doesn't work for you, do you have any other way to uniquely identify those logs you are planning to collect? Is there a field that is unique for those events? If that's the case, blacklists and whitelists might be the only reasonable way even if you don't want to use them.

0 Karma
Highlighted

Re: Is it possible to transport data from a Windows event log view?

Esteemed Legend

You do not have to use Splunk's built-in WinEventLog facility. You can use the native Windows facilities to write a subset of logs to a directory/file and the use normal Splunk directory/file monitoring to forward them in.

0 Karma