Getting Data In

Microsoft-Windows-PrintService/Operational Logs

corommendoza
Explorer

I want to monitor who is printing to which printer on my remote print server. Eventually I only want to see event ID 307 however, I'm unable to get any events from that log. I have added the following to my local/inputs.conf:

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/MonitorWindowsdata#Event_log_monitor_configur... says I need to import to the Windows Event Viewer but this is already there. I have entered the full path as shown here: http://answers.splunk.com/answers/6219/windows-2008-server-event-viewer-logs

What am I missing?

Thanks.

PaVedme
Engager

I found answer from http://forums.iis.net/p/1170786/1954080.aspx created on source machine a register "Key" at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Microsoft-Windows-PrintService/Operational

and everything worked properly.

0 Karma

antlefebvre
Communicator

I know you said you don't want to load the universal forwarder, but it is the easiest way to get this done. In my local\inputs.conf I have the following indexed into an index called printlog and it works flawlessly.

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
index = printlog

[WinEventLog:Microsoft-Windows-PrintService/Admin]
disabled = 0
index = printlog

corommendoza
Explorer

No success. I guess no one has gotten it to work this way.

0 Karma

corommendoza
Explorer

I'll give it a few hours. I appreciate you helping me out with this luke.

0 Karma

lukejadamec
Super Champion

Have you searched the indexer for printserver?

If it could not find the log, then I'm pretty sure it would throw an error.

You might want to give it some time.

0 Karma

corommendoza
Explorer

Removed spaces and this is what I get in the log:

10-01-2013 11:22:12.990 -0700 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Microsoft-Windows-PrintService/Operational'
10-01-2013 11:22:12.990 -0700 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Microsoft-Windows-PrintService/Operational': total_events='0' with empty_msg='0'.

I checked server and I can see events in that log.

0 Karma

lukejadamec
Super Champion

Try removing the spaces from [WMI:EventLog:PrintServers]
After you enable the WMI input, check the splunkd.log for errors. It may take a few minutes before it actually starts pulling data.

0 Karma

corommendoza
Explorer

Yes, I only get these:

Application
Security
System
Hardware Events
Internet Explorer
Key Management Service
MSExchange Management
Windows Powershell

I was poking around and edited /etc/apps/launcher/local/wmi.conf and added:

[WMI:Event Log: Print Servers]
disabled = 0
index = default
interval = 5
server = servername
event_log_file = Microsoft-Windows-PrintService/Operational

This adds to the Remote Event Log Collections but it still doesn't pull anything.

0 Karma

lukejadamec
Super Champion

I meant, have you tried enabling the Splunk WMI input for these logs?
Manager>Data Inputs>Remote Event Log Collections
Select Add New, enter server name, and try to "find the logs".

0 Karma

corommendoza
Explorer

Yes I can view events on that server remotely via event viewer. Splunk service is running with a domain account that has access.

0 Karma

lukejadamec
Super Champion

I've seen a few old posts about this that are unanswered, and no answered ones. This usually means a configuration problem.
Have you tried enabling WMI logging for these remote hosts?

Are you running the main splunkd service with a domain account that has access to these logs?

0 Karma

lukejadamec
Super Champion

If it can be done, then it would be with the WMI log interface. Gonna have to think about that one.

0 Karma

corommendoza
Explorer

I can see those logs on the host and I don't have a forwarder installed.
I'd like to query without having to install a forwarder. Can this be done?

0 Karma

lukejadamec
Super Champion

Silly questions, but...
Is the local/inputs.conf you mentioned in the forwarder on the hosts connected to the printer? It won't work on the indexer alone.
On the hosts, can you see the logs you're after in the Windows event viewer?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...