Solved: Re: Running Splunk Enterprise on Windows 2008 R2, ...

ceichhorn · ‎04-22-2015

I'm running Splunk Enterprise on a Windows 2008 R2 server and I'm looking to index the local security logs for the server in to splunk. I can't seem to figure out how to do this: can someone help me with that? I'm sure it's rather simple, I just can't find it. Thanks!

menonmanish · ‎04-22-2015

For Splunk 5, simply use the following in your inputs.conf
[WinEventLog:Security]
disabled = 0

For Splunk Latest release use
[WinEventLog://Security]
disabled = 0

Refer to http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/MonitorWindowsdata for more details.

View solution in original post

menonmanish · ‎04-22-2015

For Splunk 5, simply use the following in your inputs.conf
[WinEventLog:Security]
disabled = 0

For Splunk Latest release use
[WinEventLog://Security]
disabled = 0

Refer to http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/MonitorWindowsdata for more details.

ceichhorn · ‎04-22-2015

Thanks very much Meno, this got it.

Running Splunk Enterprise on Windows 2008 R2, how do I index local security logs?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?