I want to monitor who is printing to which printer on my remote print server. Eventually I only want to see event ID 307 however, I'm unable to get any events from that log. I have added the following to my local/inputs.conf:
[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/MonitorWindowsdata#Event_log_monitor_configur... says I need to import to the Windows Event Viewer but this is already there. I have entered the full path as shown here: http://answers.splunk.com/answers/6219/windows-2008-server-event-viewer-logs
What am I missing?
Thanks.
I found answer from http://forums.iis.net/p/1170786/1954080.aspx created on source machine a register "Key" at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Microsoft-Windows-PrintService/Operational
and everything worked properly.
I know you said you don't want to load the universal forwarder, but it is the easiest way to get this done. In my local\inputs.conf I have the following indexed into an index called printlog and it works flawlessly.
[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
index = printlog
[WinEventLog:Microsoft-Windows-PrintService/Admin]
disabled = 0
index = printlog
No success. I guess no one has gotten it to work this way.
I'll give it a few hours. I appreciate you helping me out with this luke.
Have you searched the indexer for printserver?
If it could not find the log, then I'm pretty sure it would throw an error.
You might want to give it some time.
Removed spaces and this is what I get in the log:
10-01-2013 11:22:12.990 -0700 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Microsoft-Windows-PrintService/Operational'
10-01-2013 11:22:12.990 -0700 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Microsoft-Windows-PrintService/Operational': total_events='0' with empty_msg='0'.
I checked server and I can see events in that log.
Try removing the spaces from [WMI:EventLog:PrintServers]
After you enable the WMI input, check the splunkd.log for errors. It may take a few minutes before it actually starts pulling data.
Yes, I only get these:
Application
Security
System
Hardware Events
Internet Explorer
Key Management Service
MSExchange Management
Windows Powershell
I was poking around and edited /etc/apps/launcher/local/wmi.conf and added:
[WMI:Event Log: Print Servers]
disabled = 0
index = default
interval = 5
server = servername
event_log_file = Microsoft-Windows-PrintService/Operational
This adds to the Remote Event Log Collections but it still doesn't pull anything.
I meant, have you tried enabling the Splunk WMI input for these logs?
Manager>Data Inputs>Remote Event Log Collections
Select Add New, enter server name, and try to "find the logs".
Yes I can view events on that server remotely via event viewer. Splunk service is running with a domain account that has access.
I've seen a few old posts about this that are unanswered, and no answered ones. This usually means a configuration problem.
Have you tried enabling WMI logging for these remote hosts?
Are you running the main splunkd service with a domain account that has access to these logs?
If it can be done, then it would be with the WMI log interface. Gonna have to think about that one.
I can see those logs on the host and I don't have a forwarder installed.
I'd like to query without having to install a forwarder. Can this be done?
Silly questions, but...
Is the local/inputs.conf you mentioned in the forwarder on the hosts connected to the printer? It won't work on the indexer alone.
On the hosts, can you see the logs you're after in the Windows event viewer?