Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Reading WindowsEvent logs from UNC path

AndreasLP
Explorer
‎09-08-2012 02:59 PM

Hi,

I have some issues with setting up Splunk to read a WindwsEvent file stored on a network share. It seems like the setup is fine, but no files shows up in Splunk and nothing is indexed.

From the exact same destination I'm able to read windows update logs without any problems, so it shouldn't be any problems with the credentials. All files have the same permissions.

Since this is my first tme setting up Splunk I hope i have made some simple misstake which is easily fixed.

Tags (2)
0 Karma
Reply

neklov_splunk
Splunk Employee
Splunk Employee
‎09-08-2012 03:12 PM

Have you taken a look here: http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorwindowsdata

Reply

AndreasLP
Explorer
‎09-10-2012 05:50 AM

It turned out I was restricted by a very exotic Group Policy Setting. When that was corrected, everything works fine.

Thanks for all the answers and quick help!

0 Karma
Reply

MarioM
Motivator
‎09-09-2012 02:14 AM

Adding to the above the splunk which has access to the unc path need to be installed on Windows Vista, 7 or Server 2008/2008 R2 to read .evtx

0 Karma
Reply

MarioM
Motivator
‎09-09-2012 02:06 AM

what neklov_splunk was pointing to is the this part of the doc:
http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/MonitorWindowsdata#Index_exported_event_log_....

Reply

AndreasLP
Explorer
‎09-08-2012 03:55 PM

All access to the server is firewalled except for the network share where the logs are put as evtx files. I'm not allowed to connect directly to the originator. The files on the share are file dumps from the event log.

Reply

neklov_splunk
Splunk Employee
Splunk Employee
‎09-08-2012 03:49 PM

What access path is restricted?

0 Karma
Reply

AndreasLP
Explorer
‎09-08-2012 03:43 PM

Unfortunately that access path is restricted, I have only the UNC path to work with 😞

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...