Solved: Re: Running Splunk Enterprise on Windows 2008 R2, ...

ceichhorn · ‎04-22-2015

I'm running Splunk Enterprise on a Windows 2008 R2 server and I'm looking to index the local security logs for the server in to splunk. I can't seem to figure out how to do this: can someone help me with that? I'm sure it's rather simple, I just can't find it. Thanks!

menonmanish · ‎04-22-2015

For Splunk 5, simply use the following in your inputs.conf
[WinEventLog:Security]
disabled = 0

For Splunk Latest release use
[WinEventLog://Security]
disabled = 0

Refer to http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/MonitorWindowsdata for more details.

View solution in original post

menonmanish · ‎04-22-2015

For Splunk 5, simply use the following in your inputs.conf
[WinEventLog:Security]
disabled = 0

For Splunk Latest release use
[WinEventLog://Security]
disabled = 0

Refer to http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/MonitorWindowsdata for more details.

ceichhorn · ‎04-22-2015

Thanks very much Meno, this got it.

Running Splunk Enterprise on Windows 2008 R2, how do I index local security logs?

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Join the Conversation

Running Splunk Enterprise on Windows 2008 R2, how do I index local security logs?

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives