Solved: Monitoring Windows Hyper-V Event Logs

tgow · ‎02-18-2011

What is the inputs.conf syntax for monitoring Windows Hyper-V Event Logs? Hyper-V event logs are stored in the Event Viewer under "Applications and Services Logs", "Microsoft", "Windows".

Thanks in advance.

Ron_Naken · ‎02-20-2011

If you add a data input for either Local Event Log Collection or Remote Event Log Collection in the UI, Splunk will allow you to enumerate the log repositories under the various branches -- just click on the repository for Hyper-V to add it to the list.

The syntax for WMI.CONF looks like this for a remote machine:

[WMI:HyperV]
disabled = 0
event_log_file = <full name>
interval = 5
server = myserver

You can retrieve the <full name> of the log repository you want to index like this: open Microsoft Event Viewer, right-click the log repository for Hyper-V, click Properties, and copy/paste what's in the Full Name field.

HTH
Ron

View solution in original post

Ron_Naken · ‎02-20-2011

If you add a data input for either Local Event Log Collection or Remote Event Log Collection in the UI, Splunk will allow you to enumerate the log repositories under the various branches -- just click on the repository for Hyper-V to add it to the list.

The syntax for WMI.CONF looks like this for a remote machine:

[WMI:HyperV]
disabled = 0
event_log_file = <full name>
interval = 5
server = myserver

You can retrieve the <full name> of the log repository you want to index like this: open Microsoft Event Viewer, right-click the log repository for Hyper-V, click Properties, and copy/paste what's in the Full Name field.

HTH
Ron

Monitoring Windows Hyper-V Event Logs

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...