My Seach Head receice Windoweventlog://Application and system but it's not found [Windowseventlog://Security]. I'm using Splunk_TA_windows. This is my config inputs.conf in local.
[WinEventLog://Application] -> it works
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=false
[WinEventLog://Security] -> not work
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false
index = wineventlog
[WinEventLog://System] -> it works
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=false
index = wineventlog
###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=flase
host= WinEventLogForwardHost
index = wineventlog
This TA is copied from another server working fine. Even i'm using domain admin to run service but still not get windows event log security.
Hi @Alex1,
Sorry but I don't understand:
is it correct?
At first, can you confirm that you're speaking of Search Head's logs?
Did you checked if the Splunk_TA_Windows, Security logs input is enabled in server 2 (you can check this in inputs.conf)?
If they're enabled, check, using btool command, if there's another inputs.conf pointing to Windows Security logs.
You can do it by CLI running this command and redirecting results in a text file to analyze:
splunk btool inputs list --debug > my_file.txt
You have to see if there are two stanzas pointing to the windows Security logs.
At least, if you have a Windows Search Head, re think to this: I did many Splunk installations and I use Windows only for test on my PC, never in production environmens!
Ciao.
Giuseppe
Hi @Alex1,
let me understand:
is it correct?
At this point one one question: if you have one or more Indexers, why do you send logs to the Search Head?
Usually all logs are sent to the Indexers that index and share them with the Search Heads, so probably, the problem is that the logs that you're sending to the Search Head aren't in the Indexers so they aren't visible and the solution to your problem is simply to forward logs to the Indexers instead of Search Heads.
You could also solve the problem forwarding all Search Head's logs to the Indexers and this generally is a Splunk best practice; but anyway it isn't a good idea to send logs to the Search Head.
Ciao.
Giuseppe
Hi gcusello,
Yes, it's correct. Sorry i had a mistake.
I copied Windows TA from server 1 that is still sending Application,System and Security to indexers to server 2.
But after copy to server2, i found windows log Application and System. Not log security . Even i used domain admin but sill not log security.
Hi @Alex1,
Sorry but I don't understand:
is it correct?
At first, can you confirm that you're speaking of Search Head's logs?
Did you checked if the Splunk_TA_Windows, Security logs input is enabled in server 2 (you can check this in inputs.conf)?
If they're enabled, check, using btool command, if there's another inputs.conf pointing to Windows Security logs.
You can do it by CLI running this command and redirecting results in a text file to analyze:
splunk btool inputs list --debug > my_file.txt
You have to see if there are two stanzas pointing to the windows Security logs.
At least, if you have a Windows Search Head, re think to this: I did many Splunk installations and I use Windows only for test on my PC, never in production environmens!
Ciao.
Giuseppe
Hi gcusello,
Server 1 and 2 (windows servers) - > indexers -> Search head.
- At Searsh head, i can search windows event logs (Application, System, Security) of Server 1. But when i search windows event log server 2 from SH. I just find windows event log Application and System. (Server 1 and 2 have the same config )
So, my problem is how i can get windows event log "Security" of server 2.
Hi @Alex1,
does my previous answer solve your question or not?
If it solves your question OK, otherwise, did you checked your configuration with btool?
Ciao.
Giuseppe
P.S.: karma Points are appreciated 😉