Splunk Add-on for windows

Roy_9 · ‎05-29-2024

Hello,

Does the below log paths of windows logs can be ingested into Splunk and if this is available in any add-on's?

Microsoft\Windows\Privacy-Auditing\Operational EventLog

Thanks

PickleRick · ‎05-30-2024

Any eventlog you can see in the Event Viewer can be ingested into Splunk. It's just that you have to address it properly. The easiest way to find the proper name is to go to Event Viewer, find your eventlog, click RMB, select properties and see the Full Name field. In case of your log it's:

So you need to define a proper inputs.conf stanza for this log:

[WinEventLog://Microsoft-Windows-Privacy-Auditing/Operational]
index=<your_destination_index>
disabled=0

gcusello · ‎05-29-2024

Hi @Roy_9 ,

what is this kind of logs?

is there an add-on for these logs?

if they are text files, you can ingest in Splunk, but I never saw them, so you have to create your parsing rules.

Ciao.

Giuseppe

Roy_9 · ‎05-30-2024

Hi @gcusello

there are logs for the windows onesettings service "This service offers to report telemetry data back to MS about OS health, build info, etc. in order to keep the computer "healthy" . We came accross this setting recently. The logs are written to "Microsoft\Windows\Privacy-Auditing\" and they are in Windows Event Log

I am not sure whether these events can be tracked using Splunk add-on for windows, any thoughts on this?

Thanks

gcusello · ‎05-30-2024

Hi @Roy_9 ,

you can create a custom input and you have to find the parsing rules.

Ciao.

Giuseppe

Splunk Add-on for windows

inputs.conf

sourcetype

universal forwarder

Windows

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...