Solved: Re: Running Splunk Enterprise on Windows 2008 R2, ...

ceichhorn · ‎04-22-2015

I'm running Splunk Enterprise on a Windows 2008 R2 server and I'm looking to index the local security logs for the server in to splunk. I can't seem to figure out how to do this: can someone help me with that? I'm sure it's rather simple, I just can't find it. Thanks!

menonmanish · ‎04-22-2015

For Splunk 5, simply use the following in your inputs.conf
[WinEventLog:Security]
disabled = 0

For Splunk Latest release use
[WinEventLog://Security]
disabled = 0

Refer to http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/MonitorWindowsdata for more details.

View solution in original post

menonmanish · ‎04-22-2015

For Splunk 5, simply use the following in your inputs.conf
[WinEventLog:Security]
disabled = 0

For Splunk Latest release use
[WinEventLog://Security]
disabled = 0

Refer to http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/MonitorWindowsdata for more details.

ceichhorn · ‎04-22-2015

Thanks very much Meno, this got it.

Running Splunk Enterprise on Windows 2008 R2, how do I index local security logs?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Join the Conversation