Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitoring Windows Event Logs

keio_splunk
Splunk Employee
Splunk Employee
‎04-08-2019 12:58 AM

Windows Event Log files (.evtx) monitoring stop working after a while and the Splunk universal forwarder has to be restarted to start data collection again.

Here is the [monitor] stanza configured to monitor the Windows Event Log files (.evtx):
[monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerActivity.evtx]
disabled = 0
index = WinEvent

[monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerManagement.evtx]
disabled = 0
index = WinEvent

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

keio_splunk
Splunk Employee
Splunk Employee
‎04-08-2019 01:07 AM

Universal forwarder will not poll for inputs for window events when specifying the [monitor] if interval is not specified.
i.e.
[monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerActivity.evtx]
disabled = 0
index = WinEvent

Solution 1: Specify an interval value for the [monitor] stanza:
[monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerActivity.evtx]
interval = 60
disabled = 0
index = WinEvent

Solution 2: Use [WinEventLog] stanza for Windows Event Log files monitoring:
[WinEventLog://VisualSVNServerActivity]
disabled = 0
index = WinEvent

Refer to Monitor Windows event log data.

View solution in original post

Reply
Solved! Jump to solution
Solution

keio_splunk
Splunk Employee
Splunk Employee
‎04-08-2019 01:07 AM

Universal forwarder will not poll for inputs for window events when specifying the [monitor] if interval is not specified.
i.e.
[monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerActivity.evtx]
disabled = 0
index = WinEvent

Solution 1: Specify an interval value for the [monitor] stanza:
[monitor://C:\Windows\System32\winevt\Logs\VisualSVNServerActivity.evtx]
interval = 60
disabled = 0
index = WinEvent

Solution 2: Use [WinEventLog] stanza for Windows Event Log files monitoring:
[WinEventLog://VisualSVNServerActivity]
disabled = 0
index = WinEvent

Refer to Monitor Windows event log data.

Reply
Get Updates on the Splunk Community!

Best Strategies to Optimize Observability Costs

 Join us on Tuesday, May 6, 2025, at 11 AM PDT / 2 PM EDT for an insightful session on optimizing ...

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...
Top