Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Reading WindowsEvent logs from UNC path

AndreasLP
Explorer
‎09-08-2012 02:59 PM

Hi,

I have some issues with setting up Splunk to read a WindwsEvent file stored on a network share. It seems like the setup is fine, but no files shows up in Splunk and nothing is indexed.

From the exact same destination I'm able to read windows update logs without any problems, so it shouldn't be any problems with the credentials. All files have the same permissions.

Since this is my first tme setting up Splunk I hope i have made some simple misstake which is easily fixed.

Tags (2)
0 Karma
Reply

neklov_splunk
Splunk Employee
Splunk Employee
‎09-08-2012 03:12 PM

Have you taken a look here: http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorwindowsdata

Reply

AndreasLP
Explorer
‎09-10-2012 05:50 AM

It turned out I was restricted by a very exotic Group Policy Setting. When that was corrected, everything works fine.

Thanks for all the answers and quick help!

0 Karma
Reply

MarioM
Motivator
‎09-09-2012 02:14 AM

Adding to the above the splunk which has access to the unc path need to be installed on Windows Vista, 7 or Server 2008/2008 R2 to read .evtx

0 Karma
Reply

MarioM
Motivator
‎09-09-2012 02:06 AM

what neklov_splunk was pointing to is the this part of the doc:
http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/MonitorWindowsdata#Index_exported_event_log_....

Reply

AndreasLP
Explorer
‎09-08-2012 03:55 PM

All access to the server is firewalled except for the network share where the logs are put as evtx files. I'm not allowed to connect directly to the originator. The files on the share are file dumps from the event log.

Reply

neklov_splunk
Splunk Employee
Splunk Employee
‎09-08-2012 03:49 PM

What access path is restricted?

0 Karma
Reply

AndreasLP
Explorer
‎09-08-2012 03:43 PM

Unfortunately that access path is restricted, I have only the UNC path to work with 😞

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...