Getting Data In

Microsoft-Windows-PrintService/Operational Logs

Explorer

I want to monitor who is printing to which printer on my remote print server. Eventually I only want to see event ID 307 however, I'm unable to get any events from that log. I have added the following to my local/inputs.conf:

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/MonitorWindowsdata#Event_log_monitor_configur... says I need to import to the Windows Event Viewer but this is already there. I have entered the full path as shown here: http://answers.splunk.com/answers/6219/windows-2008-server-event-viewer-logs

What am I missing?

Thanks.

Engager

I found answer from http://forums.iis.net/p/1170786/1954080.aspx created on source machine a register "Key" at

HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Microsoft-Windows-PrintService/Operational

and everything worked properly.

0 Karma

Communicator

I know you said you don't want to load the universal forwarder, but it is the easiest way to get this done. In my local\inputs.conf I have the following indexed into an index called printlog and it works flawlessly.

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
index = printlog

[WinEventLog:Microsoft-Windows-PrintService/Admin]
disabled = 0
index = printlog

Explorer

No success. I guess no one has gotten it to work this way.

0 Karma

Explorer

I'll give it a few hours. I appreciate you helping me out with this luke.

0 Karma

Super Champion

Have you searched the indexer for printserver?

If it could not find the log, then I'm pretty sure it would throw an error.

You might want to give it some time.

0 Karma

Explorer

Removed spaces and this is what I get in the log:

10-01-2013 11:22:12.990 -0700 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Microsoft-Windows-PrintService/Operational'
10-01-2013 11:22:12.990 -0700 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Microsoft-Windows-PrintService/Operational': totalevents='0' with emptymsg='0'.

I checked server and I can see events in that log.

0 Karma

Super Champion

Try removing the spaces from [WMI:EventLog:PrintServers]
After you enable the WMI input, check the splunkd.log for errors. It may take a few minutes before it actually starts pulling data.

0 Karma

Explorer

Yes, I only get these:

Application
Security
System
Hardware Events
Internet Explorer
Key Management Service
MSExchange Management
Windows Powershell

I was poking around and edited /etc/apps/launcher/local/wmi.conf and added:

[WMI:Event Log: Print Servers]
disabled = 0
index = default
interval = 5
server = servername
eventlogfile = Microsoft-Windows-PrintService/Operational

This adds to the Remote Event Log Collections but it still doesn't pull anything.

0 Karma

Super Champion

I meant, have you tried enabling the Splunk WMI input for these logs?
Manager>Data Inputs>Remote Event Log Collections
Select Add New, enter server name, and try to "find the logs".

0 Karma

Explorer

Yes I can view events on that server remotely via event viewer. Splunk service is running with a domain account that has access.

0 Karma

Super Champion

I've seen a few old posts about this that are unanswered, and no answered ones. This usually means a configuration problem.
Have you tried enabling WMI logging for these remote hosts?

Are you running the main splunkd service with a domain account that has access to these logs?

0 Karma

Super Champion

If it can be done, then it would be with the WMI log interface. Gonna have to think about that one.

0 Karma

Explorer

I can see those logs on the host and I don't have a forwarder installed.
I'd like to query without having to install a forwarder. Can this be done?

0 Karma

Super Champion

Silly questions, but...
Is the local/inputs.conf you mentioned in the forwarder on the hosts connected to the printer? It won't work on the indexer alone.
On the hosts, can you see the logs you're after in the Windows event viewer?

0 Karma